Cisco SE - Policy update failure

CiscoSecureEndpoint
| where EventMessage =~ 'Policy Update Failure'
| extend HostCustomEntity = DstHostname

description: |
    'Detects policy updates failures.'
version: 1.0.0
tactics:
- DefenseEvasion
triggerOperator: gt
query: |
  CiscoSecureEndpoint
  | where EventMessage =~ 'Policy Update Failure'
  | extend HostCustomEntity = DstHostname  
status: Available
kind: Scheduled
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1562
id: 64fece0a-44db-4bab-844d-fd503dc0aaba
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
severity: Medium
name: Cisco SE - Policy update failure
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEPolicyUpdateFailure.yaml
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint