Microsoft Sentinel
The added value
The ESET PROTECT Platform is a centralized security management system with advanced threat detection capabilities designed to protect businesses from various cyber threats.
Integrating the ESET PROTECT Platform with Microsoft Sentinel empowers users to efficiently monitor and manage threat detections while enhancing overall organization security and protection. The ESET PROTECT Platform data connector uses Azure Functions to connect to the ESET PROTECT Platform via ESET Connect API to pull detections logs into Microsoft Sentinel.
Integration type
•Combination of the log-based and API-based integration
How to enable the integration
The ESET PROTECT Platform solution takes a dependency on the following technologies:
•Logs Ingestion API in Azure Monitor
•Azure Functions
Pulling detections logs from the ESET PROTECT Platform into Microsoft Sentinel using the Azure Functions can result in additional data ingestion costs. Ensure to check the details on the Azure Functions pricing page. |
Ensure you have all the required permissions and perform the configuration steps below.
Required permissions
•Read and write permissions on the Azure Log Analytics workspace.
•Read permissions to shared keys for the Azure Log Analytics workspace. See the documentation to learn more about the workspace keys.
•Read and write permissions on Azure Functions to create a Function App. See the documentation to learn more about Azure Functions.
•Sufficient permissions to register an application with the Microsoft Entra tenant.
•Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID.
Configuration steps
1.Create an ESET Connect API User account.
2.Create a Microsoft Entra ID registered application by following the steps in the Register a new application instruction.
3.Install the ESET PROTECT Platform connector from the Azure Marketplace or the Azure portal. When installed, select the ESET PROTECT Platform data connector in Azure Portal > Configuration > Data Connectors > ESET PROTECT Platform data connector and click Open Connector Page.
4.Deploy the ESET PROTECT Platform data connector using the Azure Resource Manager (ARM) template; on the ESET PROTECT Platform data connector page, click Deploy to Azure. The system will redirect you to the customized template page.
5.Complete the Project details and Instance details fields:
•Subscription—Your Azure subscription.
•Resource group—Your previously created Resource group. It must be the same as your Log Analytics workspace Resource group.
•Region—The location of your previously created Resource group. This field is automatically populated when you select the Resource group.
•Workspace Name—The name of your Log Analytics workspace associated with your Microsoft Sentinel instance.
•Table Name—The name of the table that will store the detections logs data after the deployment. This field is pre-defined for you.
•Data Collection Endpoint Name—The name of the data collection endpoint. This field is pre-defined for you.
•Data Collection Rule Name—The name of the collection rule. This field is pre-defined for you.
•Application Name—The name of the Azure Function App that will be created as a result of the deployment. The name must be a unique value. Therefore, the system will add additional characters from your Resource group ID to the name you provide to ensure its uniqueness.
•Application Run Interval—The time interval (in minutes) for the application to run and pull the detections. This field is pre-defined for you, but you can select a different option.
•Object ID—The Object ID of the registered application in Microsoft Entra ID. To get the required Object ID value, follow this path: Azure Portal > Microsoft Entra ID > Manage menu option > Enterprise applications > the value in the Object ID column next to your registered application name.
•Azure Client ID—The Application (client) ID of the registered application in Microsoft Entra ID.
•Azure Client Secret—The Client Secret of the registered application in Microsoft Entra ID.
•Azure Tenant ID—The Directory (tenant) ID of the registered application in Microsoft Entra ID.
•Login—The ESET Connect API user login username obtained in step one.
•Password—The ESET Connect API user password obtained in step one.
•Instance Region—The location of your ESET PROTECT/ESET Inspect instance.
•Key Base—This field is pre-defined for you; do not change it.
6.Click Review + create to validate your configuration, then click Create to finalize it.
The new Function App will be created when the configuration and deployment are finished. The app will pull the detections data from the ESET PROTECT Platform and push it to Microsoft Sentinel.
To verify the integration and review the detections logs:
1.Go to Azure Portal > Microsoft Sentinel > your Log Analytics workspace > General > Logs.
2.Select the table created during the deployment. The table will store the detections pulled from the ESET PROTECT Platform and their details.