This analytic detects Cisco SD-WAN control peering activity by identifying syslog events that indicate a control-connection-state-change transition. It uses the cisco_sd_wan_syslog macro and a set of Rex extractions to pull key fields from the raw event: peer-type, peer-system-ip, public-ip, and public-port, along with a calculated destination. The search aggregates results by peer_type, peer_system_ip, destination, and new_state, producing a table of event_time (latest timestamp in the group), destination, peer_type, peer_system_ip, and the collected public IPs/ports with a count. Analysts should validate that peer-system-ip matches the environment’s SD-WAN addressing schema and device inventory, ensure the event timing aligns with maintenance, failover, or planned changes, and verify that the public-ip is a sanctioned source for control peering. Special scrutiny should be applied to peer-type:vmanage events, particularly when peer or source IP values are previously unseen. The rule is designed to surface anomalous or unexpected SD-WAN control-plane peers and transitions that could indicate misconfiguration or potential risk, enabling focused investigation and validation against operational change records.