Cyble Vision Alerts OTICS Threat Activity Detected

Alerts_ot_ics  
| where Service == "ot_ics" 
| extend MappedSeverity = Severity

eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ot_ics_rule.yaml
query: |
  Alerts_ot_ics  
  | where Service == "ot_ics" 
  | extend MappedSeverity = Severity  
enabled: true
version: 1.0.0
queryfrequency: 30m
id: c1ebc79d-7f46-429e-bf2c-8bb0b75ba6b2
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
name: Cyble Vision Alerts OT/ICS Threat Activity Detected
description: |
    'This alert indicates detection of OT/ICS-related network activity involving industrial control protocols (e.g., IEC104). May indicate probing, reconnaissance, or attempted access against critical infrastructure assets.'
incidentConfiguration:
  alertDetailsOverride: 
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
  alertDisplayNameFormat: OT/ICS Activity Detected from {{OT_SourceIP}}
  description: |
        Cyble detected industrial control system related traffic involving protocol {{OT_DataType}} from IP {{OT_SourceIP}}. Destination port {{OT_DestPort}}. Country. {{OT_Country}}. This may indicate reconnaissance or hostile probing of OT/ICS infrastructure.
  createIncident: true
triggerOperator: GreaterThan
queryPeriod: 30m
kind: Scheduled
tactics:
- Discovery
- Collection
status: Available
severity: Low
relevantTechniques:
- T0842
- T0830
customDetails:
  Service: Service
  AlertID: AlertID
  OT_IP_Reputation: OT_IP_Reputation
  OT_DestPort: OT_DestPort
  Status: Status
  OT_ASN: OT_ASN
  OT_SourceIP: OT_SourceIP
  MappedSeverity: Severity
  OT_DataType: OT_DataType
  OT_Country: OT_Country
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: OT_SourceIP
    identifier: Address