Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

customDetails:
  Status: Status
  CertificateTitle: SS_Title
  Service: Service
  DaysToExpiry: SS_DaysUntilExpiry
  ExpiryDate: SS_Expiry
  Port: SS_Port
  Asset: SS_Asset
  MappedSeverity: Severity
  AlertID: AlertID
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
incidentConfiguration:
  alertDetailsOverride: 
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  alertDescriptionFormat: ""
relevantTechniques:
- T1190
- T1499
kind: Scheduled
name: Cyble Vision Alerts SSL Certificate Expiry
tactics:
- InitialAccess
- Impact
severity: Low
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: SS_Asset
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: SS_Asset
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: SS_Port
  entityType: Host
enabled: true
queryfrequency: 30m
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
queryPeriod: 30m
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD