Cyble Vision Alerts Suspicious Domain

Alerts_suspicious_domains 
| where Service == "suspicious_domain" 
| extend MappedSeverity = Severity

entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
tactics:
- Reconnaissance
subTechniques: []
suppressionDuration: PT5H
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
alertDetailsOverride:
  alertDisplayNameFormat: Suspicious Domain Detected {{Domain}}  {{Status}}
  alertDescriptionFormat: |
        Suspicious Domain detected for {{Domain}} with {{Status}}
  alertDynamicProperties: []
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: c56fcb78-b708-4a92-bad4-d50b1e15c42c
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  Service: Service
  Keyword: KeywordName
  NS_Records: NS_Records
  AlertID: AlertID
  Screenshot: SD_ScreenshotURL
  LiveStatus: SD_IsLive
  MX_Records: MX_Records
  Status: Status
  Domain: Domain
  MappedSeverity: Severity
  Score: SD_Score
  RegistrationDate: SD_RegistrationDate
  LastLiveCheck: SD_LastLiveCheck
  A_Records: A_Records
query: |
  Alerts_suspicious_domains 
  | where Service == "suspicious_domain" 
  | extend MappedSeverity = Severity  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Suspicious_Domain.yaml
kind: Scheduled
queryPeriod: 30m
enabled: true
version: 1.0.0
name: Cyble Vision Alerts Suspicious Domain
queryFrequency: 30m
triggerThreshold: 0
relevantTechniques:
- T1595
description: |
    'This Rule generates Cyble Vision Alerts for Service - Suspicious Domain severity LOW'
triggerOperator: GreaterThan