Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

name: Cyble Vision Alerts SSL Certificate Expiry
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
enabled: true
entityMappings:
- fieldMappings:
  - columnName: SS_Asset
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: SS_Asset
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: SS_Port
    identifier: HostName
  entityType: Host
version: 1.0.0
triggerOperator: GreaterThan
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
kind: Scheduled
queryfrequency: 30m
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
severity: Low
incidentConfiguration:
  createIncident: true
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
  alertDetailsOverride: 
  alertDescriptionFormat: ""
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 30m
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
status: Available
customDetails:
  AlertID: AlertID
  ExpiryDate: SS_Expiry
  Asset: SS_Asset
  DaysToExpiry: SS_DaysUntilExpiry
  CertificateTitle: SS_Title
  Service: Service
  Status: Status
  Port: SS_Port
  MappedSeverity: Severity
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1190
- T1499
tactics:
- InitialAccess
- Impact