Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
queryPeriod: 30m
triggerThreshold: 0
queryfrequency: 30m
version: 1.0.0
status: Available
severity: Low
enabled: true
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
name: Cyble Vision Alerts SSL Certificate Expiry
kind: Scheduled
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: SS_Asset
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: SS_Asset
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: SS_Port
  entityType: Host
triggerOperator: GreaterThan
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- InitialAccess
- Impact
relevantTechniques:
- T1190
- T1499
customDetails:
  Asset: SS_Asset
  CertificateTitle: SS_Title
  ExpiryDate: SS_Expiry
  MappedSeverity: Severity
  Port: SS_Port
  DaysToExpiry: SS_DaysUntilExpiry
  AlertID: AlertID
  Status: Status
  Service: Service
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
  alertDescriptionFormat: ""
  alertDetailsOverride: 
  createIncident: true
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}