Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

severity: Low
triggerOperator: GreaterThan
relevantTechniques:
- T1190
- T1499
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
enabled: true
customDetails:
  Status: Status
  Port: SS_Port
  Asset: SS_Asset
  DaysToExpiry: SS_DaysUntilExpiry
  Service: Service
  ExpiryDate: SS_Expiry
  AlertID: AlertID
  CertificateTitle: SS_Title
  MappedSeverity: Severity
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: SS_Asset
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: SS_Asset
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: SS_Port
  entityType: Host
kind: Scheduled
status: Available
tactics:
- InitialAccess
- Impact
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
queryPeriod: 30m
version: 1.0.0
incidentConfiguration:
  alertDescriptionFormat: ""
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
  alertDetailsOverride: 
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
triggerThreshold: 0
queryfrequency: 30m
name: Cyble Vision Alerts SSL Certificate Expiry