title | description | author | ms.topic | ms.date | ms.service | ms.author | ms.collection |
---|---|---|---|---|---|---|---|
ESET PROTECT connector for Microsoft Sentinel |
Learn how to install the connector ESET PROTECT to connect your data source to Microsoft Sentinel. |
cwatson-cat |
how-to |
04/26/2024 |
microsoft-sentinel |
cwatson |
sentinel-data-connector |
This connector gathers all events generated by ESET software through the central management solution ESET PROTECT (formerly ESET Security Management Center). This includes Anti-Virus detections, Firewall detections but also more advanced EDR detections. For a complete list of events please refer to the documentation.
This is autogenerated content. For changes, contact the solution provider.
Connector attribute | Description |
---|---|
Log Analytics table(s) | Syslog (ESETPROTECT) |
Data collection rules support | Workspace transform DCR |
Supported by | ESET Netherlands |
ESET threat events
ESETPROTECT
| where EventType == 'Threat_Event'
| sort by TimeGenerated desc
Top 10 detected threats
ESETPROTECT
| where EventType == 'Threat_Event'
| summarize ThreatCount = count() by tostring(ThreatName)
| top 10 by ThreatCount
ESET firewall events
ESETPROTECT
| where EventType == 'FirewallAggregated_Event'
| sort by TimeGenerated desc
ESET threat events
ESETPROTECT
| where EventType == 'Threat_Event'
| sort by TimeGenerated desc
ESET threat events from Real-time file system protection
ESETPROTECT
| where EventType == 'Threat_Event'
| where ScanId == 'Real-time file system protection'
| sort by TimeGenerated desc
Query ESET threat events from On-demand scanner
ESETPROTECT
| where EventType == 'Threat_Event'
| where ScanId == 'On-demand scanner'
| sort by TimeGenerated desc
Top hosts by number of threat events
ESETPROTECT
| where EventType == 'Threat_Event'
| summarize threat_events_count = count() by HostName
| sort by threat_events_count desc
ESET web sites filter
ESETPROTECT
| where EventType == 'FilteredWebsites_Event'
| sort by TimeGenerated desc
ESET audit events
ESETPROTECT
| where EventType == 'Audit_Event'
| sort by TimeGenerated desc
NOTE: This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ESETPROTECT and load the function code or click here.The function usually takes 10-15 minutes to activate after solution installation/update.
- Install and onboard the agent for Linux
Typically, you should install the agent on a different computer from the one on which the logs are generated.
Syslog logs are collected only from Linux agents.
- Configure the logs to be collected
Configure the facilities you want to collect and their severities.
-
Under workspace advanced settings Configuration, select Data and then Syslog.
-
Select Apply below configuration to my machines and select the facilities and severities. The default ESET PROTECT facility is user.
-
Click Save.
-
Configure ESET PROTECT
Configure ESET PROTECT to send all events through Syslog.
-
Follow these instructions to configure syslog output. Make sure to select BSD as the format and TCP as the transport.
-
Follow these instructions to export all logs to syslog. Select JSON as the output format.
Note:- Refer to the documentation for setting up the log forwarder for both local and cloud storage.
For more information, go to the related solution in the Azure Marketplace.