This anomaly detects low-frequency rogue Cisco SD-WAN control-plane peers by analyzing control-connection-state-change events where new-state:up. It extracts peer-type and peer-system-ip, then groups events by these fields and counts occurrences within the search window. Combinations with a count <= 3 (threshold adjustable; 3 is a starting point) are flagged as rare. The rule highlights peer identities that are infrequently observed, especially those with unexpected peer-type roles or unfamiliar peer-system-ip values, which may indicate misconfigurations, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts. The finding may relate to CVE-2026-20127. The query relies on the cisco_sd_wan_syslog macro to process Cisco SD-WAN/vSmart logs and extracts fields peer-type, peer-system-ip, and public IP/port, then uses stats by peer_type and peer_system_ip to surface rare pairings. Results present destination (dest), peer_type, peer_system_ip, public IPs/ports, and count, and feed a macro named cisco_sd_wan___low_frequency_rogue_peer_filter. The threshold is environment-specific and should be tuned before deployment. Recommendations include establishing a known-good baseline for expected peer-system-ip, public-ip, and peer-type relationships, and using a rogue-peer outlier filter to suppress approved peers. Reference materials include Cisco SD-WAN configuration and hardening guides. Analysts should investigate flagged rare peers to determine legitimacy and potential compromise.