It's hard to answer this precisely because I don't know what devices are sending logs and what the LEM will classify those logs as when normalizing them. Therefore, this is a general example, and may or may not work for your specific example.
I think you'd end up with a rule that looks something like this:
