Merge pull request #9270 from Azure/ermes-browser-security-solution

Ermes browser security solution

Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents.json

@@ -0,0 +1,81 @@
+{
+    "id": "ErmesBrowserSecurityEvents",
+    "title": "Ermes Browser Security Events",
+    "publisher": "Partner",
+    "descriptionMarkdown": "Ermes Browser Security Events",
+    "graphQueriesTableName": "ErmesBrowserSecurityEvents_CL",
+    "graphQueries": [
+        {
+            "metricName": "Total events received",
+            "legend": "Ermes Events",
+            "baseQuery": "{{graphQueriesTableName}}"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "Get Sample of Ermes Events",
+            "query": "{{graphQueriesTableName}}\n | take 10"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "ErmesBrowserSecurityEvents_CL",
+            "lastDataReceivedQuery": "ErmesBrowserSecurityEvents_CL | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+      {
+        "type": "HasDataConnectors"
+      }
+    ],
+    "availability": {
+      "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "Read and Write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Ermes Client Id and Client Secret",
+                "description": "Enable API access in Ermes. Please contact [Ermes Cyber Security](https://www.ermes.company) support for more information."
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": "Connect using OAuth2 credentials",
+            "instructions": [
+                {
+                    "type": "OAuthForm",
+                    "parameters": {
+                        "clientIdLabel": "Client ID",
+                        "clientSecretLabel": "Client Secret",
+                        "connectButtonLabel": "Connect",
+                        "disconnectButtonLabel": "Disconnect"
+                    }
+                }
+            ],
+            "title": "Connect Ermes Browser Security Events to Microsoft Sentinel"
+        }
+    ]
+}

Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json

@@ -0,0 +1,94 @@
+{
+	"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+	"apiVersion": "2022-09-01-preview",
+	"name": "ErmesBrowserSecurityDefinition",
+	"location": "[parameters('workspace-location')]",
+	"kind": "Customizable",
+	"properties": {
+		"connectorUiConfig": {
+			"id": "ErmesBrowserSecurityEvents",
+			"title": "Ermes Browser Security Events",
+			"publisher": "Ermes Cyber Security S.p.A.",
+			"descriptionMarkdown": "Ermes Browser Security Events",
+			"graphQueriesTableName": "ErmesBrowserSecurityEvents_CL",
+			"graphQueries": [
+				{
+					"metricName": "Total events received",
+					"legend": "Ermes Events",
+					"baseQuery": "{{graphQueriesTableName}}"
+				}
+			],
+			"sampleQueries": [
+				{
+					"description": "Get Sample of Ermes Events",
+					"query": "{{graphQueriesTableName}}\n | take 10"
+				}
+			],
+			"dataTypes": [
+				{
+					"name": "{{graphQueriesTableName}}",
+					"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+				}
+			],
+			"connectivityCriteria": [
+				{
+					"type": "HasDataConnectors"
+				}
+			],
+			"availability": {
+				"isPreview": false
+			},
+			"permissions": {
+				"resourceProvider": [
+					{
+						"provider": "Microsoft.OperationalInsights/workspaces",
+						"permissionsDisplayText": "Read and Write permissions are required.",
+						"providerDisplayName": "Workspace",
+						"scope": "Workspace",
+						"requiredPermissions": {
+							"write": true,
+							"read": true,
+							"delete": true
+						}
+					},
+					{
+						"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+						"permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+						"providerDisplayName": "Keys",
+						"scope": "Workspace",
+						"requiredPermissions": {
+							"action": true
+						}
+					}
+				],
+				"customs": [
+					{
+						"name": "Ermes Client Id and Client Secret",
+						"description": "Enable API access in Ermes. Please contact [Ermes Cyber Security](https://www.ermes.company) support for more information."
+					}
+				]
+			},
+			"instructionSteps": [
+				{
+					"description": "Connect using OAuth2 credentials",
+					"instructions": [
+						{
+							"type": "OAuthForm",
+							"parameters": {
+								"clientIdLabel": "Client ID",
+								"clientSecretLabel": "Client Secret",
+								"connectButtonLabel": "Connect",
+								"disconnectButtonLabel": "Disconnect"
+							}
+						}
+					],
+					"title": "Connect Ermes Browser Security Events to Microsoft Sentinel"
+				}
+			]
+		},
+		"connectionsConfig": {
+			"templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
+			"templateSpecVersion": "[variables('dataConnectorVersion2')]"
+		}
+	}
+}

Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json

@@ -0,0 +1,56 @@
+[{
+	"type": "Microsoft.SecurityInsights/dataConnectors",
+	"apiVersion": "2022-10-01-preview",
+	"name": "apiRequest",
+	"kind": "RestApiPoller",
+	"properties": {
+		"connectorDefinitionName": "ErmesBrowserSecurityEvents",
+		"dataType": "ErmesBrowserSecurityEvents_CL",
+		"dcrConfig": {
+			"streamName": "Custom-Ermes_ClientCredentials",
+			"dataCollectionEndpoint": "value is not important. will chaned by script",
+			"dataCollectionRuleImmutableId": "value is not important. will chaned by script"
+		},
+		"auth": {
+			"type": "OAuth2",
+			"ClientSecret": "[[parameters('clientSecret')]",
+			"ClientId": "[[parameters('clientId')]",
+			"GrantType": "client_credentials",
+			"TokenEndpoint": "https://api.shield.ermessecurity.com/oauth/token",
+			"TokenEndpointHeaders": {
+				"Content-Type": "application/x-www-form-urlencoded"
+			},
+			"TokenEndpointQueryParameters": {
+				"grant_type": "client_credentials"
+			}
+		},
+		"request": {
+			"apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events",
+			"httpMethod": "GET",
+			"queryParameters": {
+				"max_results": 100,
+				"sort": "-_created",
+				"is_azure": "v3_0"
+			},
+			"queryWindowInMin": 5,
+			"queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00",
+			"startTimeAttributeName": "gte__created",
+			"endTimeAttributeName": "lte__created",
+			"rateLimitQps": 1,
+			"retryCount": 3,
+			"timeoutInSeconds": 30,
+			"headers": {
+				"Accept": "application/json",
+				"User-Agent": "Scuba"
+			}
+		},
+		"response": {
+			"eventsJsonPaths": [
+				"$._items[*]"
+			]
+		},
+		"paging": {
+			"type": "LinkHeader"
+		}
+	}
+}]

Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/dcr.json

@@ -0,0 +1,70 @@
+[{
+	"name": "ErmesOauthDCR1",
+	"apiVersion": "2021-09-01-preview",
+	"type": "Microsoft.Insights/dataCollectionRules",
+	"location": "[parameters('workspace-location')]",
+	"properties": {
+		"dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+		"streamDeclarations": {
+			"Custom-Ermes_ClientCredentials": {
+				"columns": [
+					{
+						"name": "_created",
+						"type": "string",
+						"description": "Event Timestamp"
+					},
+					{
+						"name": "username",
+						"type": "string",
+						"description": "Username"
+					},
+					{
+						"name": "client_ip",
+						"type": "string",
+						"description": "Client IP"
+					},
+					{
+						"name": "level",
+						"type": "string",
+						"description": "Event priority level (INFO, WARNING, etc)"
+					},
+					{
+						"name": "event_cat",
+						"type": "string",
+						"description": "Event Category"
+					},
+					{
+						"name": "event_id",
+						"type": "string",
+						"description": "Event Id"
+					},
+					{
+						"name": "message",
+						"type": "dynamic",
+						"description": "Message"
+					}
+				]
+			}
+		},
+		"destinations": {
+			"logAnalytics": [
+				{
+					"workspaceResourceId": "[variables('workspaceResourceId')]",
+					"name": "clv2ws1"
+				}
+			]
+		},
+		"dataFlows": [
+			{
+				"streams": [
+					"Custom-Ermes_ClientCredentials"
+				],
+				"destinations": [
+					"clv2ws1"
+				],
+				"transformKql": "source | project TimeGenerated = now(), EventTimestamp = _created, Username = username, ClientIP = client_ip, EventCategory = event_cat, EventId = event_id, Level = level, Message = message.en",
+				"outputStream": "Custom-ErmesBrowserSecurityEvents_CL"
+			}
+		]
+	}
+}]

Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/table.json

@@ -0,0 +1,49 @@
+[{
+    "name": "ErmesBrowserSecurityEvents_CL",
+    "type": "Microsoft.OperationalInsights/workspaces/tables",
+    "apiVersion": "2021-03-01-privatepreview",
+    "tags": {},
+    "properties": {
+        "schema": {
+            "name": "ErmesBrowserSecurityEvents_CL",
+            "columns": [
+                {
+                    "name": "TimeGenerated",
+                    "type": "Datetime",
+                    "isDefaultDisplay": true,
+                    "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+                },
+                {
+                    "name": "Username",
+                    "type": "String",
+                    "description": "Username"
+                },
+                {
+                    "name": "ClientIP",
+                    "type": "String",
+                    "description": "Client IP"
+                },
+                {
+                    "name": "Level",
+                    "type": "String",
+                    "description": "Event priority level (INFO, WARNING, etc)"
+                },
+                {
+                    "name": "EventCategory",
+                    "type": "String",
+                    "description": "Event Category"
+                },
+                {
+                    "name": "EventId",
+                    "type": "String",
+                    "description": "Event Id"
+                },
+                {
+                    "name": "Message",
+                    "type": "String",
+                    "description": "Message"
+                }
+            ]
+        }
+    }
+}]

Solutions/Ermes Browser Security/Data/Solution_ErmesBrowserSecurity.json

@@ -0,0 +1,16 @@
+{
+    "Name": "Ermes Browser Security",
+    "Author": "dev@ermessecurity.com",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Ermes_Browser_Security_Logo.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "The [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.",
+    "Data Connectors": [
+      "Data Connectors/ErmesBrowserSecurityEvents.json",
+      "Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json"
+    ],
+    "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Ermes Browser Security",
+    "Version": "3.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1PConnector": false,
+    "createPackage": false
+  }