Cisco SE - Policy update failure

CiscoSecureEndpoint
| where EventMessage =~ 'Policy Update Failure'
| extend HostCustomEntity = DstHostname

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEPolicyUpdateFailure.yaml
query: |
  CiscoSecureEndpoint
  | where EventMessage =~ 'Policy Update Failure'
  | extend HostCustomEntity = DstHostname  
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
tactics:
- DefenseEvasion
name: Cisco SE - Policy update failure
relevantTechniques:
- T1562
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects policy updates failures.'
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
queryPeriod: 1h
id: 64fece0a-44db-4bab-844d-fd503dc0aaba