Cyble Vision Alerts Vulnerability

Alerts_vulnerability 
| where Service == "vulnerability" 
| extend MappedSeverity = Severity

status: Available
enabled: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Vulnerability.yaml
version: 1.0.0
suppressionDuration: PT5H
queryPeriod: 30m
subTechniques: []
query: |
  Alerts_vulnerability 
  | where Service == "vulnerability" 
  | extend MappedSeverity = Severity  
kind: Scheduled
name: Cyble Vision Alerts Vulnerability
triggerOperator: GreaterThan
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 0e0cdda9-4536-4cc9-91cf-736e8957ed26
triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: V_Host
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: V_IP
queryFrequency: 30m
alertDetailsOverride:
  alertDescriptionFormat: |
        A vulnerability was detected for host {{V_Host}} (IP {{V_IP}}, Port {{V_Port}}).
  alertDynamicProperties: []
  alertDisplayNameFormat: CybleVision Vulnerability {{V_Title}}
description: |
    'Detects SSL/TLS and application vulnerabilities from CybleVision. Extracts host, IP, port, severity, vulnerability ID and first-seen metadata using the Alerts_Vulnerability parser. Incidents grouped per service.'
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
customDetails:
  V_LastSeen: V_LastSeen
  V_Confidence: V_Confidence
  Service: Service
  MappedSeverity: Severity
  V_Port: V_Port
  V_FirstSeen: V_FirstSeen
  Status: Status
  V_VulnID: V_VulnID
  AlertID: AlertID
  V_Type: V_Type
  Title: V_Title
relevantTechniques:
- T1595
- T1203
- T1046
tactics:
- Reconnaissance
- Execution
- Discovery