Cyble Vision Alerts SSL Certificate Expiry

Alerts_ssl_expiry
| where Service == "ssl_expiry" 
| extend MappedSeverity = Severity

customDetails:
  Status: Status
  AlertID: AlertID
  ExpiryDate: SS_Expiry
  Service: Service
  Asset: SS_Asset
  DaysToExpiry: SS_DaysUntilExpiry
  CertificateTitle: SS_Title
  MappedSeverity: Severity
  Port: SS_Port
kind: Scheduled
severity: Low
description: |
    'Generates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security issues. Severity is normalized using MappedSeverity for downstream automation.'
triggerThreshold: 0
status: Available
enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_ssl_expiry.yaml
relevantTechniques:
- T1190
- T1499
version: 1.0.0
tactics:
- InitialAccess
- Impact
queryfrequency: 30m
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: SS_Asset
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: SS_Asset
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: SS_Port
  entityType: Host
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
queryPeriod: 30m
query: |
  Alerts_ssl_expiry
  | where Service == "ssl_expiry" 
  | extend MappedSeverity = Severity  
name: Cyble Vision Alerts SSL Certificate Expiry
id: A667D635-D2A7-47E7-8827-8FB243AF2AFD
triggerOperator: GreaterThan
incidentConfiguration:
  alertDisplayNameFormat: SSL Certificate Expiry  {{DC_ServerName}}
  alertDetailsOverride: 
  alertDescriptionFormat: ""
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
  createIncident: true