Udostępnij za pośrednictwem


[Deprecated] ESET PROTECT connector for Microsoft Sentinel

Important

Log collection from many appliances and devices is now supported by the Common Event Format (CEF) via AMA, Syslog via AMA, or Custom Logs via AMA data connector in Microsoft Sentinel. For more information, see Find your Microsoft Sentinel data connector.

This connector gathers all events generated by ESET software through the central management solution ESET PROTECT (formerly ESET Security Management Center). This includes Anti-Virus detections, Firewall detections but also more advanced EDR detections. For a complete list of events please refer to the documentation.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) Syslog (ESETPROTECT)
Data collection rules support Workspace transform DCR
Supported by ESET Netherlands

Query samples

ESET threat events

ESETPROTECT

| where EventType == 'Threat_Event'

| sort by TimeGenerated desc

Top 10 detected threats

ESETPROTECT

| where EventType == 'Threat_Event'

| summarize ThreatCount = count() by tostring(ThreatName)

| top 10 by ThreatCount

ESET firewall events

ESETPROTECT

| where EventType == 'FirewallAggregated_Event'

| sort by TimeGenerated desc

ESET threat events

ESETPROTECT

| where EventType == 'Threat_Event'

| sort by TimeGenerated desc

ESET threat events from Real-time file system protection

ESETPROTECT

| where EventType == 'Threat_Event'

| where ScanId == 'Real-time file system protection'

| sort by TimeGenerated desc

Query ESET threat events from On-demand scanner

ESETPROTECT

| where EventType == 'Threat_Event'

| where ScanId == 'On-demand scanner'

| sort by TimeGenerated desc

Top hosts by number of threat events

ESETPROTECT

| where EventType == 'Threat_Event'

| summarize threat_events_count = count() by HostName

| sort by threat_events_count desc

ESET web sites filter

ESETPROTECT

| where EventType == 'FilteredWebsites_Event'

| sort by TimeGenerated desc

ESET audit events

ESETPROTECT

| where EventType == 'Audit_Event'

| sort by TimeGenerated desc

Vendor installation instructions

NOTE: This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ESETPROTECT and load the function code or click here.The function usually takes 10-15 minutes to activate after solution installation/update.

  1. Install and onboard the agent for Linux

Typically, you should install the agent on a different computer from the one on which the logs are generated.

Syslog logs are collected only from Linux agents.

  1. Configure the logs to be collected

Configure the facilities you want to collect and their severities.

  1. Under workspace advanced settings Configuration, select Data and then Syslog.

  2. Select Apply below configuration to my machines and select the facilities and severities. The default ESET PROTECT facility is user.

  3. Click Save.

  4. Configure ESET PROTECT

Configure ESET PROTECT to send all events through Syslog.

  1. Follow these instructions to configure syslog output. Make sure to select BSD as the format and TCP as the transport.

  2. Follow these instructions to export all logs to syslog. Select JSON as the output format.

Note:- Refer to the documentation for setting up the log forwarder for both local and cloud storage.

Next steps

For more information, go to the related solution in the Azure Marketplace.