Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

name: Cyble Vision Alerts SSL Certificate Expiry
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
queryfrequency: 30m
triggerOperator: GreaterThan
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
tactics:
- InitialAccess
- Impact
status: Available
incidentConfiguration:
  alertDetailsOverride: 
  alertDescriptionFormat: ""
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
  createIncident: true
enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
version: 1.0.0
entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: SS_Asset
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SS_Asset
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SS_Port
kind: Scheduled
customDetails:
  Asset: SS_Asset
  Service: Service
  Port: SS_Port
  DaysToExpiry: SS_DaysUntilExpiry
  MappedSeverity: Severity
  Status: Status
  AlertID: AlertID
  ExpiryDate: SS_Expiry
  CertificateTitle: SS_Title
relevantTechniques:
- T1190
- T1499
severity: Low
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
queryPeriod: 30m