diff --git a/Logos/Ermes_Browser_Security_Logo.svg b/Logos/Ermes_Browser_Security_Logo.svg
new file mode 100644
index 00000000000..9c60eaca130
--- /dev/null
+++ b/Logos/Ermes_Browser_Security_Logo.svg
@@ -0,0 +1,9 @@
+
+
diff --git a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents.json b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents.json
new file mode 100644
index 00000000000..6c152c12914
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents.json
@@ -0,0 +1,81 @@
+{
+ "id": "ErmesBrowserSecurityEvents",
+ "title": "Ermes Browser Security Events",
+ "publisher": "Partner",
+ "descriptionMarkdown": "Ermes Browser Security Events",
+ "graphQueriesTableName": "ErmesBrowserSecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Ermes Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of Ermes Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "ErmesBrowserSecurityEvents_CL",
+ "lastDataReceivedQuery": "ErmesBrowserSecurityEvents_CL | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Ermes Client Id and Client Secret",
+ "description": "Enable API access in Ermes. Please contact [Ermes Cyber Security](https://www.ermes.company) support for more information."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Connect using OAuth2 credentials",
+ "instructions": [
+ {
+ "type": "OAuthForm",
+ "parameters": {
+ "clientIdLabel": "Client ID",
+ "clientSecretLabel": "Client Secret",
+ "connectButtonLabel": "Connect",
+ "disconnectButtonLabel": "Disconnect"
+ }
+ }
+ ],
+ "title": "Connect Ermes Browser Security Events to Microsoft Sentinel"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json
new file mode 100644
index 00000000000..abc5207809d
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json
@@ -0,0 +1,94 @@
+{
+ "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+ "apiVersion": "2022-09-01-preview",
+ "name": "ErmesBrowserSecurityDefinition",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "ErmesBrowserSecurityEvents",
+ "title": "Ermes Browser Security Events",
+ "publisher": "Ermes Cyber Security S.p.A.",
+ "descriptionMarkdown": "Ermes Browser Security Events",
+ "graphQueriesTableName": "ErmesBrowserSecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Ermes Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of Ermes Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Ermes Client Id and Client Secret",
+ "description": "Enable API access in Ermes. Please contact [Ermes Cyber Security](https://www.ermes.company) support for more information."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Connect using OAuth2 credentials",
+ "instructions": [
+ {
+ "type": "OAuthForm",
+ "parameters": {
+ "clientIdLabel": "Client ID",
+ "clientSecretLabel": "Client Secret",
+ "connectButtonLabel": "Connect",
+ "disconnectButtonLabel": "Disconnect"
+ }
+ }
+ ],
+ "title": "Connect Ermes Browser Security Events to Microsoft Sentinel"
+ }
+ ]
+ },
+ "connectionsConfig": {
+ "templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
+ "templateSpecVersion": "[variables('dataConnectorVersion2')]"
+ }
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json
new file mode 100644
index 00000000000..0099b31db33
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json
@@ -0,0 +1,56 @@
+[{
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "apiVersion": "2022-10-01-preview",
+ "name": "apiRequest",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "ErmesBrowserSecurityEvents",
+ "dataType": "ErmesBrowserSecurityEvents_CL",
+ "dcrConfig": {
+ "streamName": "Custom-Ermes_ClientCredentials",
+ "dataCollectionEndpoint": "value is not important. will chaned by script",
+ "dataCollectionRuleImmutableId": "value is not important. will chaned by script"
+ },
+ "auth": {
+ "type": "OAuth2",
+ "ClientSecret": "[[parameters('clientSecret')]",
+ "ClientId": "[[parameters('clientId')]",
+ "GrantType": "client_credentials",
+ "TokenEndpoint": "https://api.shield.ermessecurity.com/oauth/token",
+ "TokenEndpointHeaders": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "TokenEndpointQueryParameters": {
+ "grant_type": "client_credentials"
+ }
+ },
+ "request": {
+ "apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events",
+ "httpMethod": "GET",
+ "queryParameters": {
+ "max_results": 100,
+ "sort": "-_created",
+ "is_azure": "v3_0"
+ },
+ "queryWindowInMin": 5,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00",
+ "startTimeAttributeName": "gte__created",
+ "endTimeAttributeName": "lte__created",
+ "rateLimitQps": 1,
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$._items[*]"
+ ]
+ },
+ "paging": {
+ "type": "LinkHeader"
+ }
+ }
+}]
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/dcr.json b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/dcr.json
new file mode 100644
index 00000000000..fb79cc716d0
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/dcr.json
@@ -0,0 +1,70 @@
+[{
+ "name": "ErmesOauthDCR1",
+ "apiVersion": "2021-09-01-preview",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "streamDeclarations": {
+ "Custom-Ermes_ClientCredentials": {
+ "columns": [
+ {
+ "name": "_created",
+ "type": "string",
+ "description": "Event Timestamp"
+ },
+ {
+ "name": "username",
+ "type": "string",
+ "description": "Username"
+ },
+ {
+ "name": "client_ip",
+ "type": "string",
+ "description": "Client IP"
+ },
+ {
+ "name": "level",
+ "type": "string",
+ "description": "Event priority level (INFO, WARNING, etc)"
+ },
+ {
+ "name": "event_cat",
+ "type": "string",
+ "description": "Event Category"
+ },
+ {
+ "name": "event_id",
+ "type": "string",
+ "description": "Event Id"
+ },
+ {
+ "name": "message",
+ "type": "dynamic",
+ "description": "Message"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-Ermes_ClientCredentials"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = now(), EventTimestamp = _created, Username = username, ClientIP = client_ip, EventCategory = event_cat, EventId = event_id, Level = level, Message = message.en",
+ "outputStream": "Custom-ErmesBrowserSecurityEvents_CL"
+ }
+ ]
+ }
+}]
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/table.json b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/table.json
new file mode 100644
index 00000000000..482d61129cc
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/table.json
@@ -0,0 +1,49 @@
+[{
+ "name": "ErmesBrowserSecurityEvents_CL",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2021-03-01-privatepreview",
+ "tags": {},
+ "properties": {
+ "schema": {
+ "name": "ErmesBrowserSecurityEvents_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "Datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "Username",
+ "type": "String",
+ "description": "Username"
+ },
+ {
+ "name": "ClientIP",
+ "type": "String",
+ "description": "Client IP"
+ },
+ {
+ "name": "Level",
+ "type": "String",
+ "description": "Event priority level (INFO, WARNING, etc)"
+ },
+ {
+ "name": "EventCategory",
+ "type": "String",
+ "description": "Event Category"
+ },
+ {
+ "name": "EventId",
+ "type": "String",
+ "description": "Event Id"
+ },
+ {
+ "name": "Message",
+ "type": "String",
+ "description": "Message"
+ }
+ ]
+ }
+ }
+}]
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/Data/Solution_ErmesBrowserSecurity.json b/Solutions/Ermes Browser Security/Data/Solution_ErmesBrowserSecurity.json
new file mode 100644
index 00000000000..577e44f2a4e
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Data/Solution_ErmesBrowserSecurity.json
@@ -0,0 +1,16 @@
+{
+ "Name": "Ermes Browser Security",
+ "Author": "dev@ermessecurity.com",
+ "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Ermes_Browser_Security_Logo.svg\")
",
+ "Description": "The [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.",
+ "Data Connectors": [
+ "Data Connectors/ErmesBrowserSecurityEvents.json",
+ "Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json"
+ ],
+ "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Ermes Browser Security",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "createPackage": false
+ }
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/Package/3.0.0.zip b/Solutions/Ermes Browser Security/Package/3.0.0.zip
new file mode 100644
index 00000000000..ec3e186e3dd
Binary files /dev/null and b/Solutions/Ermes Browser Security/Package/3.0.0.zip differ
diff --git a/Solutions/Ermes Browser Security/Package/createUiDefinition.json b/Solutions/Ermes Browser Security/Package/createUiDefinition.json
new file mode 100644
index 00000000000..a14bac71147
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Package/createUiDefinition.json
@@ -0,0 +1,85 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Ermes Browser Security. You can get Ermes Browser Security custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Ermes Browser Security/Package/mainTemplate.json b/Solutions/Ermes Browser Security/Package/mainTemplate.json
new file mode 100644
index 00000000000..af442e842aa
--- /dev/null
+++ b/Solutions/Ermes Browser Security/Package/mainTemplate.json
@@ -0,0 +1,672 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "subscription": {
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "type": "string",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "defaultValue": "[resourceGroup().name]",
+ "type": "string",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@ermes.com",
+ "_email": "[variables('email')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "Ermes Browser Security",
+ "_solutionVersion": "3.0.0",
+ "_solutionAuthor": "Ermes Cyber Security",
+ "uiConfigId1": "ErmesBrowserSecurityEvents",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "_packageIcon": "icon icon icon icon",
+ "solutionId": "ermescybersecurity.azure-sentinel-solution-ermes-browser-security",
+ "_solutionId": "[variables('solutionId')]",
+ "dataConnectorVersionConnectorDefinition": "1.0.0",
+ "dataConnectorVersionConnections": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition": "ErmesBrowserSecurity",
+ "dataConnectorTemplateNameConnectorDefinition": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]",
+ "_dataConnectorContentIdConnections": "Connections",
+ "dataConnectorTemplateNameConnections": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]",
+ "_logAnalyticsTableId1": "ErmesBrowserSecurityEvents_CL",
+ "dataConnectorTemplateSpecName": "ErmesBrowserSecurity"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnectorDefinition'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]",
+ "displayName": "[variables('_solutionName')]",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersionConnectorDefinition')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersionConnectorDefinition')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "[variables('_solutionAuthor')]",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Ermes Cyber Security",
+ "email": "support@ermes.com",
+ "tier": "Community",
+ "link": "https://www.ermes.company"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorVersionConnections')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Ermes Browser Security Events",
+ "publisher": "Ermes Cyber Security S.p.A.",
+ "descriptionMarkdown": "Ermes Browser Security Events",
+ "graphQueriesTableName": "ErmesBrowserSecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Ermes Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of Ermes Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Ermes Client Id and Client Secret",
+ "description": "Enable API access in Ermes. Please contact [Ermes Cyber Security](https://www.ermes.company) support for more information."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Connect using OAuth2 credentials",
+ "instructions": [
+ {
+ "type": "OAuthForm",
+ "parameters": {
+ "clientIdLabel": "Client ID",
+ "clientSecretLabel": "Client Secret",
+ "connectButtonLabel": "Connect",
+ "disconnectButtonLabel": "Disconnect"
+ }
+ }
+ ],
+ "title": "Connect Ermes Browser Security Events to Microsoft Sentinel"
+ }
+ ]
+ },
+ "connectionsConfig": {
+ "templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName'))]",
+ "templateSpecVersion": "1.0.0"
+ }
+ }
+ },
+ {
+ "name": "ErmesOauthDCR1",
+ "apiVersion": "2021-09-01-preview",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "streamDeclarations": {
+ "Custom-Ermes_ClientCredentials": {
+ "columns": [
+ {
+ "name": "_created",
+ "type": "string",
+ "description": "Event Timestamp"
+ },
+ {
+ "name": "username",
+ "type": "string",
+ "description": "Username"
+ },
+ {
+ "name": "client_ip",
+ "type": "string",
+ "description": "Client IP"
+ },
+ {
+ "name": "level",
+ "type": "string",
+ "description": "Event priority level (INFO, WARNING, etc)"
+ },
+ {
+ "name": "event_cat",
+ "type": "string",
+ "description": "Event Category"
+ },
+ {
+ "name": "event_id",
+ "type": "string",
+ "description": "Event Id"
+ },
+ {
+ "name": "message",
+ "type": "dynamic",
+ "description": "Message"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-Ermes_ClientCredentials"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = now(), EventTimestamp = _created, Username = username, ClientIP = client_ip, EventCategory = event_cat, EventId = event_id, Level = level, Message = message.en",
+ "outputStream": "Custom-ErmesBrowserSecurityEvents_CL"
+ }
+ ]
+ }
+ },
+ {
+ "name": "[variables('_logAnalyticsTableId1')]",
+ "apiVersion": "2021-03-01-privatepreview",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "[variables('_logAnalyticsTableId1')]",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "Datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "Username",
+ "type": "String",
+ "description": "Username"
+ },
+ {
+ "name": "ClientIP",
+ "type": "String",
+ "description": "Client IP"
+ },
+ {
+ "name": "Level",
+ "type": "String",
+ "description": "Event priority level (INFO, WARNING, etc)"
+ },
+ {
+ "name": "EventCategory",
+ "type": "String",
+ "description": "Event Category"
+ },
+ {
+ "name": "EventId",
+ "type": "String",
+ "description": "Event Id"
+ },
+ {
+ "name": "Message",
+ "type": "String",
+ "description": "Message"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('_solutionVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Ermes Browser Security Events",
+ "publisher": "Ermes Cyber Security S.p.A.",
+ "descriptionMarkdown": "Ermes Browser Security Events",
+ "graphQueriesTableName": "ErmesBrowserSecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Ermes Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of Ermes Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Ermes Client Id and Client Secret",
+ "description": "Enable API access in Ermes. Please contact [Ermes Cyber Security](https://www.ermes.company) support for more information."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Connect using OAuth2 credentials",
+ "instructions": [
+ {
+ "type": "OAuthForm",
+ "parameters": {
+ "clientIdLabel": "Client ID",
+ "clientSecretLabel": "Client Secret",
+ "connectButtonLabel": "Connect",
+ "disconnectButtonLabel": "Disconnect"
+ }
+ }
+ ],
+ "title": "Connect Ermes Browser Security Events to Microsoft Sentinel"
+ }
+ ]
+ },
+ "connectionsConfig": {
+ "templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName'))]",
+ "templateSpecVersion": "1.0.0"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersionConnectorDefinition')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "[variables('_solutionAuthor')]",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Ermes Cyber Security",
+ "email": "support@ermes.com",
+ "tier": "Community",
+ "link": "https://www.ermes.company"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorVersionConnections')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections')]",
+ "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections'))]",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersionConnections')]",
+ "parameters": {
+ "connectorDefinitionName": {
+ "defaultValue": "connectorDefinitionName",
+ "type": "string",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "ClientId": {
+ "defaultValue": "-NA-",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "ClientSecret": {
+ "defaultValue": "-NA-",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "AuthorizationCode": {
+ "defaultValue": "-NA-",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections": "[variables('_dataConnectorContentIdConnections')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorVersionConnections')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "[variables('_solutionAuthor')]",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Ermes Cyber Security",
+ "email": "support@ermes.com",
+ "tier": "Community",
+ "link": "https://www.ermes.company"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'apiRequest')]",
+ "apiVersion": "2022-12-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "[[parameters('connectorDefinitionName')]",
+ "dataType": "ErmesBrowserSecurityEvents_CL",
+ "dcrConfig": {
+ "streamName": "Custom-Ermes_ClientCredentials",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "auth": {
+ "type": "OAuth2",
+ "ClientSecret": "[[parameters('ClientSecret')]",
+ "ClientId": "[[parameters('ClientId')]",
+ "GrantType": "client_credentials",
+ "TokenEndpoint": "https://api.shield.ermessecurity.com/oauth/token",
+ "TokenEndpointHeaders": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "TokenEndpointQueryParameters": {
+ "grant_type": "client_credentials"
+ }
+ },
+ "request": {
+ "apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events",
+ "httpMethod": "GET",
+ "queryParameters": {
+ "max_results": 100,
+ "sort": "-_created",
+ "is_azure": "v3_0"
+ },
+ "queryWindowInMin": 5,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00",
+ "startTimeAttributeName": "gte__created",
+ "endTimeAttributeName": "lte__created",
+ "rateLimitQps": 1,
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$._items[*]"
+ ]
+ },
+ "paging": {
+ "type": "LinkHeader"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('_solutionVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]",
+ "location": "[parameters('workspace-location')]",
+ "apiVersion": "2023-04-01-preview",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "[variables('_solutionName')]",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "[variables('_solutionAuthor')]",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Ermes Cyber Security",
+ "email": "support@ermes.com",
+ "tier": "Community",
+ "link": "https://www.ermes.company"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]",
+ "version": "1.0.0"
+ }
+ ]
+ },
+ "categories": {
+ "domains": [
+ "Security - Threat Intelligence"
+ ]
+ },
+ "firstPublishDate": "2023-09-29",
+ "providers": [
+ "[variables('_solutionAuthor')]"
+ ],
+ "contentKind": "Solution",
+ "packageId": "[variables('_solutionId')]",
+ "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
+ "displayName": "[variables('_solutionName')]",
+ "publisherDisplayName": "[variables('_solutionId')]",
+ "descriptionHtml": "The [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.",
+ "icon": "[variables('_packageIcon')]"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/ReleaseNotes.md b/Solutions/Ermes Browser Security/ReleaseNotes.md
new file mode 100644
index 00000000000..7bb17b50fe0
--- /dev/null
+++ b/Solutions/Ermes Browser Security/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 29-09-2023 | Initial Version Release |
\ No newline at end of file
diff --git a/Solutions/Ermes Browser Security/SolutionMetadata.json b/Solutions/Ermes Browser Security/SolutionMetadata.json
new file mode 100644
index 00000000000..b4b226b4329
--- /dev/null
+++ b/Solutions/Ermes Browser Security/SolutionMetadata.json
@@ -0,0 +1,19 @@
+{
+ "publisherId": "ermescybersecurity",
+ "offerId": "azure-sentinel-solution-ermes-browser-security",
+ "firstPublishDate": "2023-09-29",
+ "providers": [
+ "Ermes Cyber Security S.p.A."
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection"
+ ]
+ },
+ "support": {
+ "name": "Ermes Cyber Security",
+ "email": "support@ermes.com",
+ "tier": "Partner",
+ "link": "https://www.ermes.company"
+ }
+}
\ No newline at end of file