Cyble Vision Alerts OTICS Threat Activity Detected

Alerts_ot_ics  
| where Service == "ot_ics" 
| extend MappedSeverity = Severity

triggerOperator: GreaterThan
incidentConfiguration:
  alertDetailsOverride: 
  createIncident: true
  description: |
        Cyble detected industrial control system related traffic involving protocol {{OT_DataType}} from IP {{OT_SourceIP}}. Destination port {{OT_DestPort}}. Country. {{OT_Country}}. This may indicate reconnaissance or hostile probing of OT/ICS infrastructure.
  alertDisplayNameFormat: OT/ICS Activity Detected from {{OT_SourceIP}}
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
relevantTechniques:
- T0842
- T0830
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: OT_SourceIP
query: |
  Alerts_ot_ics  
  | where Service == "ot_ics" 
  | extend MappedSeverity = Severity  
triggerThreshold: 0
customDetails:
  Status: Status
  OT_SourceIP: OT_SourceIP
  MappedSeverity: Severity
  OT_ASN: OT_ASN
  Service: Service
  OT_IP_Reputation: OT_IP_Reputation
  OT_DestPort: OT_DestPort
  OT_Country: OT_Country
  OT_DataType: OT_DataType
  AlertID: AlertID
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ot_ics_rule.yaml
queryPeriod: 30m
tactics:
- Discovery
- Collection
name: Cyble Vision Alerts OT/ICS Threat Activity Detected
description: |
    'This alert indicates detection of OT/ICS-related network activity involving industrial control protocols (e.g., IEC104). May indicate probing, reconnaissance, or attempted access against critical infrastructure assets.'
kind: Scheduled
enabled: true
id: c1ebc79d-7f46-429e-bf2c-8bb0b75ba6b2
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryfrequency: 30m
severity: Low
status: Available