Antivirus Detected an Infected File

Syslog
| where SyslogMessage contains "found an infected file"
| extend 
    EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
    DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
    Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
    FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
    Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus

name: Antivirus Detected an Infected File
relevantTechniques:
- T1203
id: 4f767afa-d666-4ed4-b453-a4f5ad35181b
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CTERA
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: EdgeFiler
  entityType: Host
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
  createIncident: true
suppressionDuration: PT5H
alertDetailsOverride:
  alertDescriptionFormat: Antivirus detected an infected file on {{EdgeFiler}} at {{DetectionTime}}.
  alertnameFormat: Antivirus Detected an Infected File
status: Available
query: |
  Syslog
  | where SyslogMessage contains "found an infected file"
  | extend 
      EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
      DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
      Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
      FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
      Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
  | project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus  
tactics:
- Impact
kind: NRT
description: Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
customDetails:
  FilePath: FilePath
  Portal: Portal
  EdgeFiler: EdgeFiler
  Virus: Virus