Cyble Vision Alerts OTICS Threat Activity Detected

Alerts_ot_ics  
| where Service == "ot_ics" 
| extend MappedSeverity = Severity

query: |
  Alerts_ot_ics  
  | where Service == "ot_ics" 
  | extend MappedSeverity = Severity  
version: 1.0.0
incidentConfiguration:
  createIncident: true
  alertDisplayNameFormat: OT/ICS Activity Detected from {{OT_SourceIP}}
  alertDetailsOverride: 
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
  description: |
        Cyble detected industrial control system related traffic involving protocol {{OT_DataType}} from IP {{OT_SourceIP}}. Destination port {{OT_DestPort}}. Country. {{OT_Country}}. This may indicate reconnaissance or hostile probing of OT/ICS infrastructure.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ot_ics_rule.yaml
triggerThreshold: 0
relevantTechniques:
- T0842
- T0830
tactics:
- Discovery
- Collection
kind: Scheduled
customDetails:
  OT_ASN: OT_ASN
  Service: Service
  AlertID: AlertID
  MappedSeverity: Severity
  OT_DestPort: OT_DestPort
  OT_IP_Reputation: OT_IP_Reputation
  OT_Country: OT_Country
  Status: Status
  OT_SourceIP: OT_SourceIP
  OT_DataType: OT_DataType
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: OT_SourceIP
    identifier: Address
enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryfrequency: 30m
name: Cyble Vision Alerts OT/ICS Threat Activity Detected
description: |
    'This alert indicates detection of OT/ICS-related network activity involving industrial control protocols (e.g., IEC104). May indicate probing, reconnaissance, or attempted access against critical infrastructure assets.'
queryPeriod: 30m
triggerOperator: GreaterThan
id: c1ebc79d-7f46-429e-bf2c-8bb0b75ba6b2
status: Available
severity: Low
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts