Merge pull request Azure#13303 from ermes-cyber-security/feature/ermes_3.1.0

Ermes Browser Security integration 3.1.0

Author: v-dvedak

…vents_ccp/data_connector_definition.json …rSecurityEvents_ConnectorDefinition.jsonSolutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_ConnectorDefinition.json Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_ConnectorDefinition.json

@@ -72,6 +72,18 @@
 				{
 					"description": "Connect using OAuth2 credentials",
 					"instructions": [
+						{
+							"type": "Textbox",
+							"parameters": {
+								"label": "API URL (optional)",
+								"placeholder": "https://api.shield.ermessecurity.com",
+								"type": "text",
+								"name": "apiUrl",
+								"validations": {
+									"required": false
+								}
+							}
+						},
 						{
 							"type": "OAuthForm",
 							"parameters": {

…/ErmesBrowserSecurityEvents_ccp/dcr.json …_CCF/ErmesBrowserSecurityEvents_DCR.jsonSolutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/dcr.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_DCR.json Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/dcr.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_DCR.json

@@ -11,7 +11,12 @@
 					{
 						"name": "_created",
 						"type": "string",
-						"description": "Event Timestamp"
+						"description": "Event creation timestamp (server ingestion/generation time)"
+					},
+					{
+						"name": "timestamp",
+						"type": "string",
+						"description": "Event timestamp"
 					},
 					{
 						"name": "username",
@@ -42,6 +47,11 @@
 						"name": "message",
 						"type": "dynamic",
 						"description": "Message"
+					},
+					{
+						"name": "log_data",
+						"type": "dynamic",
+						"description": "Event-specific log data"
 					}
 				]
 			}
@@ -62,9 +72,9 @@
 				"destinations": [
 					"clv2ws1"
 				],
-				"transformKql": "source | project TimeGenerated = todatetime([\"_created\"]), Username = username, ClientIP = client_ip, EventCategory = event_cat, EventId = event_id, Level = level, Message = tostring(message.en)",
+				"transformKql": "source | extend actual_timestamp = iff(isnotnull(timestamp), todatetime(timestamp), todatetime([\"_created\"])) | extend log_data_final = case(event_cat in (\"general\", \"dashboard_auth\", \"dashboard_audit\", \"device_status\"), parse_json('null'), log_data) | project TimeGenerated = actual_timestamp, Username = username, ClientIP = client_ip, EventCategory = event_cat, EventId = event_id, Level = level, Message = tostring(message.en), LogData = log_data_final",
 				"outputStream": "Custom-ErmesBrowserSecurityEvents_CL"
 			}
 		]
 	}
-}]
+}]

…ityEvents_ccp/data_connector_poller.json …sBrowserSecurityEvents_PollerConfig.jsonSolutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_PollerConfig.json Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_PollerConfig.json

@@ -16,24 +16,24 @@
 			"ClientSecret": "{{clientSecret}}",
 			"ClientId": "{{clientId}}",
 			"GrantType": "client_credentials",
-			"TokenEndpoint": "https://api.shield.ermessecurity.com/oauth/token",
+			"TokenEndpoint": "[[concat(if(empty(parameters('apiUrl')), 'https://api.shield.ermessecurity.com', parameters('apiUrl')),'/oauth/token')]",
 			"TokenEndpointHeaders": {
 				"Content-Type": "application/x-www-form-urlencoded"
 			},
 			"TokenEndpointQueryParameters": {}
 		},
 		"request": {
-			"apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events",
+			"apiEndpoint": "[[concat(if(empty(parameters('apiUrl')), 'https://api.shield.ermessecurity.com', parameters('apiUrl')),'/public/v1/events')]",
 			"httpMethod": "GET",
 			"queryParameters": {
 				"max_results": 100,
-				"sort": "-_created",
+				"sort": "_created",
 				"is_azure": "[variables('_solutionVersion')]"
 			},
 			"queryWindowInMin": 5,
 			"queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00",
-			"startTimeAttributeName": "gte__created",
-			"endTimeAttributeName": "lt__created",
+			"startTimeAttributeName": "gt__created",
+			"endTimeAttributeName": "lte__created",
 			"rateLimitQps": 1,
 			"retryCount": 3,
 			"timeoutInSeconds": 30,

…rmesBrowserSecurityEvents_ccp/table.json …CF/ErmesBrowserSecurityEvents_Table.jsonSolutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/table.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_Table.json Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/table.json renamed to Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_Table.json

@@ -42,6 +42,11 @@
                     "name": "Message",
                     "type": "String",
                     "description": "Message"
+                },
+                {
+                    "name": "LogData",
+                    "type": "Dynamic",
+                    "description": "Event-specific log data"
                 }
             ]
         }

Solutions/Ermes Browser Security/Data/Solution_ErmesBrowserSecurity.json

@@ -4,10 +4,10 @@
     "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Ermes_Browser_Security_Logo.svg\" width=\"75px\" height=\"75px\">",
     "Description": "The [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.",
     "Data Connectors": [
-      "Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_definition.json"
+      "Data Connectors/ErmesBrowserSecurityEvents_CCF/ErmesBrowserSecurityEvents_ConnectorDefinition.json"
     ],
     "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Ermes Browser Security",
-    "Version": "3.0.3",
+    "Version": "3.1.0",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true,
     "Is1PConnector": false

Solutions/Ermes Browser Security/Package/3.1.0.zip

@@ -60,11 +60,11 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Ermes Browser Security. You can get Ermes Browser Security data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Ermes Browser Security Events. You can get Ermes Browser Security Events data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {

Solutions/Ermes Browser Security/Package/createUiDefinition.json

@@ -45,7 +45,7 @@
   },
   "variables": {
     "_solutionName": "Ermes Browser Security",
-    "_solutionVersion": "3.0.3",
+    "_solutionVersion": "3.1.0",
     "solutionId": "ermes.azure-sentinel-solution-ermes-browser-security",
     "_solutionId": "[variables('solutionId')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
@@ -79,7 +79,7 @@
           "resources": [
             {
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
-              "apiVersion": "2022-09-01-preview",
+              "apiVersion": "2025-09-01",
               "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
               "location": "[parameters('workspace-location')]",
               "kind": "Customizable",
@@ -151,6 +151,18 @@
                     {
                       "description": "Connect using OAuth2 credentials",
                       "instructions": [
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "API URL (optional)",
+                            "placeholder": "https://api.shield.ermessecurity.com",
+                            "type": "text",
+                            "name": "apiUrl",
+                            "validations": {
+                              "required": false
+                            }
+                          }
+                        },
                         {
                           "type": "OAuthForm",
                           "parameters": {
@@ -203,7 +215,7 @@
             },
             {
               "name": "ErmesOauthDCR1",
-              "apiVersion": "2022-06-01",
+              "apiVersion": "2024-03-11",
               "type": "Microsoft.Insights/dataCollectionRules",
               "location": "[parameters('workspace-location')]",
               "kind": "[variables('blanks')]",
@@ -215,7 +227,12 @@
                       {
                         "name": "_created",
                         "type": "string",
-                        "description": "Event Timestamp"
+                        "description": "Event creation timestamp (server ingestion/generation time)"
+                      },
+                      {
+                        "name": "timestamp",
+                        "type": "string",
+                        "description": "Event timestamp"
                       },
                       {
                         "name": "username",
@@ -246,6 +263,11 @@
                         "name": "message",
                         "type": "dynamic",
                         "description": "Message"
+                      },
+                      {
+                        "name": "log_data",
+                        "type": "dynamic",
+                        "description": "Event-specific log data"
                       }
                     ]
                   }
@@ -266,15 +288,15 @@
                     "destinations": [
                       "clv2ws1"
                     ],
-                    "transformKql": "source | project TimeGenerated = todatetime([\"_created\"]), Username = username, ClientIP = client_ip, EventCategory = event_cat, EventId = event_id, Level = level, Message = tostring(message.en)",
+                    "transformKql": "source | extend actual_timestamp = iff(isnotnull(timestamp), todatetime(timestamp), todatetime([\"_created\"])) | extend log_data_final = case(event_cat in (\"general\", \"dashboard_auth\", \"dashboard_audit\", \"device_status\"), parse_json('null'), log_data) | project TimeGenerated = actual_timestamp, Username = username, ClientIP = client_ip, EventCategory = event_cat, EventId = event_id, Level = level, Message = tostring(message.en), LogData = log_data_final",
                     "outputStream": "Custom-ErmesBrowserSecurityEvents_CL"
                   }
                 ]
               }
             },
             {
               "name": "ErmesBrowserSecurityEvents_CL",
-              "apiVersion": "2022-10-01",
+              "apiVersion": "2025-07-01",
               "type": "Microsoft.OperationalInsights/workspaces/tables",
               "location": "[parameters('workspace-location')]",
               "kind": null,
@@ -317,6 +339,11 @@
                       "name": "Message",
                       "type": "String",
                       "description": "Message"
+                    },
+                    {
+                      "name": "LogData",
+                      "type": "Dynamic",
+                      "description": "Event-specific log data"
                     }
                   ]
                 }
@@ -335,7 +362,7 @@
     },
     {
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
-      "apiVersion": "2022-09-01-preview",
+      "apiVersion": "2025-09-01",
       "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
       "location": "[parameters('workspace-location')]",
       "kind": "Customizable",
@@ -407,6 +434,18 @@
             {
               "description": "Connect using OAuth2 credentials",
               "instructions": [
+                {
+                  "type": "Textbox",
+                  "parameters": {
+                    "label": "API URL (optional)",
+                    "placeholder": "https://api.shield.ermessecurity.com",
+                    "type": "text",
+                    "name": "apiUrl",
+                    "validations": {
+                      "required": false
+                    }
+                  }
+                },
                 {
                   "type": "OAuthForm",
                   "parameters": {
@@ -473,24 +512,22 @@
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorCCPVersion')]",
           "parameters": {
-            "ClientId": {
-              "defaultValue": "-NA-",
-              "type": "securestring",
-              "minLength": 1
+            "guidValue": {
+              "defaultValue": "[[newGuid()]",
+              "type": "securestring"
             },
-            "ClientSecret": {
-              "defaultValue": "-NA-",
-              "type": "securestring",
-              "minLength": 1
+            "innerWorkspace": {
+              "defaultValue": "[parameters('workspace')]",
+              "type": "securestring"
             },
             "connectorDefinitionName": {
               "defaultValue": "Ermes Browser Security Events",
-              "type": "string",
+              "type": "securestring",
               "minLength": 1
             },
             "workspace": {
               "defaultValue": "[parameters('workspace')]",
-              "type": "string"
+              "type": "securestring"
             },
             "dcrConfig": {
               "defaultValue": {
@@ -499,6 +536,20 @@
               },
               "type": "object"
             },
+            "apiUrl": {
+              "defaultValue": "",
+              "type": "securestring"
+            },
+            "ClientId": {
+              "defaultValue": "-NA-",
+              "type": "securestring",
+              "minLength": 1
+            },
+            "ClientSecret": {
+              "defaultValue": "-NA-",
+              "type": "securestring",
+              "minLength": 1
+            },
             "AuthorizationCode": {
               "defaultValue": "-NA-",
               "type": "securestring",
@@ -535,8 +586,8 @@
               }
             },
             {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'ErmesBrowserSecurityEvents')]",
-              "apiVersion": "2023-02-01-preview",
+              "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'ErmesBrowserSecurityEvents', parameters('guidValue'))]",
+              "apiVersion": "2025-09-01",
               "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
               "kind": "RestApiPoller",
@@ -550,27 +601,27 @@
                 },
                 "auth": {
                   "type": "OAuth2",
-                  "ClientSecret": "[[parameters('ClientSecret')]",
-                  "ClientId": "[[parameters('ClientId')]",
+                  "ClientSecret": "[[parameters('clientSecret')]",
+                  "ClientId": "[[parameters('clientId')]",
                   "GrantType": "client_credentials",
-                  "TokenEndpoint": "https://api.shield.ermessecurity.com/oauth/token",
+                  "TokenEndpoint": "[[concat(if(empty(parameters('apiUrl')), 'https://api.shield.ermessecurity.com', parameters('apiUrl')),'/oauth/token')]",
                   "TokenEndpointHeaders": {
                     "Content-Type": "application/x-www-form-urlencoded"
                   },
                   "TokenEndpointQueryParameters": {}
                 },
                 "request": {
-                  "apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events",
+                  "apiEndpoint": "[[concat(if(empty(parameters('apiUrl')), 'https://api.shield.ermessecurity.com', parameters('apiUrl')),'/public/v1/events')]",
                   "httpMethod": "GET",
                   "queryParameters": {
                     "max_results": 100,
-                    "sort": "-_created",
+                    "sort": "_created",
                     "is_azure": "[variables('_solutionVersion')]"
                   },
                   "queryWindowInMin": 5,
                   "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00",
-                  "startTimeAttributeName": "gte__created",
-                  "endTimeAttributeName": "lt__created",
+                  "startTimeAttributeName": "gt__created",
+                  "endTimeAttributeName": "lte__created",
                   "rateLimitQps": 1,
                   "retryCount": 3,
                   "timeoutInSeconds": 30,
@@ -605,7 +656,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.3",
+        "version": "3.1.0",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Ermes Browser Security",

Solutions/Ermes Browser Security/Package/mainTemplate.json

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                 |
 |-------------|--------------------------------|----------------------------------------------------|
+| 3.1.0       | 12-12-2025                     | Added custom API URL support and LogData field with additional event details |
 | 3.0.3       | 19-02-2024                     | Updated _solutionVersion to dataConnectorCCPVersion. <br/> Removed grant_type and added the Solution version to the query parameters |
 | 3.0.2       | 23-01-2024                     | Updated paging type in **CCP Data Connector**      |
 | 3.0.1       | 28-11-2023                     | Updated **CCP Data Connector**                     |