Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: SS_Asset
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SS_Asset
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SS_Port
tactics:
- InitialAccess
- Impact
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
incidentConfiguration:
  alertDescriptionFormat: ""
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  alertDetailsOverride: 
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  ExpiryDate: SS_Expiry
  AlertID: AlertID
  Port: SS_Port
  CertificateTitle: SS_Title
  MappedSeverity: Severity
  DaysToExpiry: SS_DaysUntilExpiry
  Service: Service
  Asset: SS_Asset
  Status: Status
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
kind: Scheduled
queryPeriod: 30m
enabled: true
version: 1.0.0
name: Cyble Vision Alerts SSL Certificate Expiry
queryfrequency: 30m
triggerThreshold: 0
relevantTechniques:
- T1190
- T1499
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
triggerOperator: GreaterThan