Cyble Vision Alerts OTICS Threat Activity Detected

Alerts_ot_ics  
| where Service == "ot_ics" 
| extend MappedSeverity = Severity

eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: OT_SourceIP
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ot_ics_rule.yaml
enabled: true
incidentConfiguration:
  alertDetailsOverride: 
  description: |
        Cyble detected industrial control system related traffic involving protocol {{OT_DataType}} from IP {{OT_SourceIP}}. Destination port {{OT_DestPort}}. Country. {{OT_Country}}. This may indicate reconnaissance or hostile probing of OT/ICS infrastructure.
  alertDisplayNameFormat: OT/ICS Activity Detected from {{OT_SourceIP}}
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
name: Cyble Vision Alerts OT/ICS Threat Activity Detected
relevantTechniques:
- T0842
- T0830
status: Available
version: 1.0.0
queryPeriod: 30m
customDetails:
  OT_DestPort: OT_DestPort
  Status: Status
  OT_Country: OT_Country
  OT_DataType: OT_DataType
  MappedSeverity: Severity
  OT_IP_Reputation: OT_IP_Reputation
  AlertID: AlertID
  OT_SourceIP: OT_SourceIP
  Service: Service
  OT_ASN: OT_ASN
kind: Scheduled
id: c1ebc79d-7f46-429e-bf2c-8bb0b75ba6b2
query: |
  Alerts_ot_ics  
  | where Service == "ot_ics" 
  | extend MappedSeverity = Severity  
description: |
    'This alert indicates detection of OT/ICS-related network activity involving industrial control protocols (e.g., IEC104). May indicate probing, reconnaissance, or attempted access against critical infrastructure assets.'
queryfrequency: 30m
severity: Low
triggerOperator: GreaterThan
tactics:
- Discovery
- Collection