Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

status: Available
relevantTechniques:
- T1190
- T1499
triggerThreshold: 0
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
incidentConfiguration:
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
  alertDescriptionFormat: ""
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
  alertDetailsOverride: 
queryPeriod: 30m
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
entityMappings:
- fieldMappings:
  - columnName: SS_Asset
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: SS_Asset
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: SS_Port
    identifier: HostName
  entityType: Host
customDetails:
  Asset: SS_Asset
  Port: SS_Port
  Status: Status
  AlertID: AlertID
  DaysToExpiry: SS_DaysUntilExpiry
  CertificateTitle: SS_Title
  MappedSeverity: Severity
  ExpiryDate: SS_Expiry
  Service: Service
name: Cyble Vision Alerts SSL Certificate Expiry
kind: Scheduled
tactics:
- InitialAccess
- Impact
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
triggerOperator: GreaterThan
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: true
queryfrequency: 30m
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL