Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

incidentConfiguration:
  alertDescriptionFormat: ""
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
  alertDetailsOverride: 
  createIncident: true
relevantTechniques:
- T1190
- T1499
queryfrequency: 30m
triggerOperator: GreaterThan
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
triggerThreshold: 0
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
name: Cyble Vision Alerts SSL Certificate Expiry
queryPeriod: 30m
customDetails:
  DaysToExpiry: SS_DaysUntilExpiry
  ExpiryDate: SS_Expiry
  Asset: SS_Asset
  MappedSeverity: Severity
  CertificateTitle: SS_Title
  Port: SS_Port
  Service: Service
  Status: Status
  AlertID: AlertID
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: true
entityMappings:
- fieldMappings:
  - columnName: SS_Asset
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: SS_Asset
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: SS_Port
    identifier: HostName
  entityType: Host
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
status: Available
version: 1.0.0
tactics:
- InitialAccess
- Impact
kind: Scheduled