From c1593905b0f28086eac5c6a1162eed700dd1c41d Mon Sep 17 00:00:00 2001
From: taylor_socfortress <111797488+taylorwalton@users.noreply.github.com>
Date: Fri, 4 Aug 2023 10:25:49 -0500
Subject: [PATCH] Update 300100-cisco_secure_endpoint.xml

---
 .../300100-cisco_secure_endpoint.xml               | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Cisco Secure Endpoint/300100-cisco_secure_endpoint.xml b/Cisco Secure Endpoint/300100-cisco_secure_endpoint.xml
index adc0bc1..29edf03 100644
--- a/Cisco Secure Endpoint/300100-cisco_secure_endpoint.xml	
+++ b/Cisco Secure Endpoint/300100-cisco_secure_endpoint.xml	
@@ -6,4 +6,18 @@
     <group>cisco_secure_endpoint,</group>
     <description>Cisco Secure Endpoint - Notification</description>
   </rule>
+  <rule id="300101" level="12">
+    <if_sid>300100</if_sid>
+    <field name="win.system.message" type="pcre2">(?i)^"Quarantine</field>
+    <options>no_full_log</options>
+    <group>cisco_secure_endpoint,</group>
+    <description>Cisco Secure Endpoint - Quarantine Event</description>
+  </rule>
+  <rule id="300102" level="12">
+    <if_sid>300100</if_sid>
+    <field name="win.system.message" type="pcre2">(?i)^"Malicious</field>
+    <options>no_full_log</options>
+    <group>cisco_secure_endpoint,</group>
+    <description>Cisco Secure Endpoint - Malicious Event</description>
+  </rule>
 </group>