[Deprecated] ESET PROTECT connector for Microsoft Sentinel
Important
Log collection from many appliances and devices is now supported by the Common Event Format (CEF) via AMA, Syslog via AMA, or Custom Logs via AMA data connector in Microsoft Sentinel. For more information, see Find your Microsoft Sentinel data connector.
This connector gathers all events generated by ESET software through the central management solution ESET PROTECT (formerly ESET Security Management Center). This includes Anti-Virus detections, Firewall detections but also more advanced EDR detections. For a complete list of events please refer to the documentation.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
Connector attribute | Description |
---|---|
Log Analytics table(s) | Syslog (ESETPROTECT) |
Data collection rules support | Workspace transform DCR |
Supported by | ESET Netherlands |
Query samples
ESET threat events
ESETPROTECT
| where EventType == 'Threat_Event'
| sort by TimeGenerated desc
Top 10 detected threats
ESETPROTECT
| where EventType == 'Threat_Event'
| summarize ThreatCount = count() by tostring(ThreatName)
| top 10 by ThreatCount
ESET firewall events
ESETPROTECT
| where EventType == 'FirewallAggregated_Event'
| sort by TimeGenerated desc
ESET threat events
ESETPROTECT
| where EventType == 'Threat_Event'
| sort by TimeGenerated desc
ESET threat events from Real-time file system protection
ESETPROTECT
| where EventType == 'Threat_Event'
| where ScanId == 'Real-time file system protection'
| sort by TimeGenerated desc
Query ESET threat events from On-demand scanner
ESETPROTECT
| where EventType == 'Threat_Event'
| where ScanId == 'On-demand scanner'
| sort by TimeGenerated desc
Top hosts by number of threat events
ESETPROTECT
| where EventType == 'Threat_Event'
| summarize threat_events_count = count() by HostName
| sort by threat_events_count desc
ESET web sites filter
ESETPROTECT
| where EventType == 'FilteredWebsites_Event'
| sort by TimeGenerated desc
ESET audit events
ESETPROTECT
| where EventType == 'Audit_Event'
| sort by TimeGenerated desc
Vendor installation instructions
NOTE: This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ESETPROTECT and load the function code or click here.The function usually takes 10-15 minutes to activate after solution installation/update.
- Install and onboard the agent for Linux
Typically, you should install the agent on a different computer from the one on which the logs are generated.
Syslog logs are collected only from Linux agents.
- Configure the logs to be collected
Configure the facilities you want to collect and their severities.
Under workspace advanced settings Configuration, select Data and then Syslog.
Select Apply below configuration to my machines and select the facilities and severities. The default ESET PROTECT facility is user.
Click Save.
Configure ESET PROTECT
Configure ESET PROTECT to send all events through Syslog.
Follow these instructions to configure syslog output. Make sure to select BSD as the format and TCP as the transport.
Follow these instructions to export all logs to syslog. Select JSON as the output format.
Note:- Refer to the documentation for setting up the log forwarder for both local and cloud storage.
Next steps
For more information, go to the related solution in the Azure Marketplace.