Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts SSL Certificate Expiry

Cyble Vision Alerts SSL Certificate Expiry

Back
IdA667D635-D2A7-47E7-8827-8FB243AF2AFD
RulenameCyble Vision Alerts SSL Certificate Expiry
DescriptionGenerates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.
SeverityLow
TacticsInitialAccess
Impact
TechniquesT1190
T1499
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
Version1.0.0
Arm templateA667D635-D2A7-47E7-8827-8FB243AF2AFD.json
Deploy To Azure
Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

customDetails:
  AlertID: AlertID
  CertificateTitle: SS_Title
  ExpiryDate: SS_Expiry
  Port: SS_Port
  Service: Service
  Status: Status
  Asset: SS_Asset
  DaysToExpiry: SS_DaysUntilExpiry
  MappedSeverity: Severity
incidentConfiguration:
  alertDetailsOverride: 
  createIncident: true
  alertDescriptionFormat: ""
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
queryfrequency: 30m
name: Cyble Vision Alerts SSL Certificate Expiry
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
severity: Low
triggerThreshold: 0
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
relevantTechniques:
- T1190
- T1499
status: Available
triggerOperator: GreaterThan
queryPeriod: 30m
enabled: true
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: SS_Asset
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: SS_Asset
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: SS_Port
    identifier: HostName
  entityType: Host
kind: Scheduled
tactics:
- InitialAccess
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml