Cisco SE - Malware execusion on host

CiscoSecureEndpoint
| where EventMessage has 'Executed Malware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

queryPeriod: 15m
description: |
    'Detects malware execution on host.'
relevantTechniques:
- T1204.002
triggerThreshold: 0
id: aea4468e-6322-48b6-bd83-f9d300cce855
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMalwareExecution.yaml
kind: Scheduled
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Executed Malware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
  entityType: Malware
triggerOperator: gt
tactics:
- Execution
status: Available
name: Cisco SE - Malware execusion on host
version: 1.0.0
severity: High
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint