Microsoft Sentinel

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

The added value

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform in Azure that collects and analyzes security data across the organization's systems, detects threats, and can automate responses.

Microsoft Sentinel's purpose is to centralize security monitoring and speed up detection, investigation, and response. It supports integration with many Microsoft and third-party security tools, cloud platforms, and data sources, enabling a unified view across diverse environments, helping security teams respond faster and reducing manual workloads.

Integrating the ESET PROTECT Platform with Microsoft Sentinel empowers users to efficiently monitor and manage threat detections while enhancing overall organization security. The ESET PROTECT Platform data connector uses Azure Functions to connect to the ESET PROTECT, ESET Inspect and ESET Cloud Office Security via ESET Public API to pull detection and incident logs into Microsoft Sentinel.

Integration type

•API-based integration

How to enable the integration

The ESET PROTECT Platform solution takes a dependency on the following technologies:

•Logs Ingestion API in Azure Monitor

•Azure Functions

Pulling detection logs from the ESET PROTECT Platform into Microsoft Sentinel using Azure Functions can result in additional data ingestion costs. For more details, refer to the Azure Functions pricing page.

Ensure you have the required permissions and follow the configuration steps below.

Required permissions

•Read and write permissions on the Azure Log Analytics workspace

•Read permissions to shared keys for the Azure Log Analytics workspace; refer to the documentation about the workspace keys.

•Read and write permissions on Azure Functions to create a Function App; refer to the documentation about Azure Functions.

•Sufficient permissions to register an application with the Microsoft Entra tenant

•Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID

Configuration steps

1.Create an ESET Connect API User account with the desired level of permissions or rights to access the ESET PROTECT/ESET Inspect/ESET Cloud Office Security instance.

2.Create a Microsoft Entra ID registered application by following the steps in the Register a new application instruction.

3.Install the ESET PROTECT Platform integration for Microsoft Sentinel from the Azure Marketplace or the Microsoft Sentinel Content hub.

4.Navigate to Azure Portal > Microsoft Sentinel > Log Analytics workspace associated with your Microsoft Sentinel instance, where you installed the ESET PROTECT Platform integration > Configuration > Data Connectors.

5.Search for and select the ESET PROTECT Platform data connector and click Open Connector Page.

6.Deploy the ESET PROTECT Platform data connector using the Azure Resource Manager template; on the ESET PROTECT Platform data connector page, click Deploy to Azure. The system redirects you to the customized template page.

7.Complete the Project details and Instance details fields:

•Subscription—Your Azure subscription

•Resource group—Your previously created Resource group; it must be the same as your Log Analytics workspace Resource group.

•Region—The region of your previously created Resource group; this field is automatically populated when you select the Resource group.

•Workspace Name—The name of your Log Analytics workspace associated with your Microsoft Sentinel instance

•Location—The location of your Log Analytics workspace associated with your Microsoft Sentinel instance; you can check the location of your Log Analytics workspace at Azure Portal > Log Analytics workspaces > Log Analytics workspace associated with your Microsoft Sentinel instance > Overview > Essentials > Location. For example, if the location is UK West, you can input UK West or ukwest; both variants are applicable.

•Table Name—The name of the table to store the detection log data after the deployment; this field is pre-defined for you. We recommend that you keep the default Table Name, as features like the parsing function use it.

•Table Name Incidents—The name of the table to store the incident log data after the deployment; this field is pre-defined for you.

•Data Collection Endpoint Name—The name of the data collection endpoint; this field is pre-defined for you.

•Data Collection Rule Name—The name of the collection rule; this field is pre-defined for you.

•Application Name—The name of the Azure Function App that will be created after deployment; the name must be unique. Therefore, the system adds characters from your Resource group ID to your application name to ensure uniqueness.

•Application Run Interval—The time interval (in minutes) for the application to run and pull the detections; this field is pre-defined for you, but you can select a different option.

•Object ID—The Object ID of the registered application in Microsoft Entra ID; you can get the required Object ID value at Azure Portal > Microsoft Entra ID > Manage menu option > Enterprise applications > the value in the Object ID column next to your registered application name.

•Azure Client ID—The Application (client) ID of the registered application in Microsoft Entra ID

•Azure Client Secret—The Client Secret of the registered application in Microsoft Entra ID

•Azure Tenant ID—The Directory (tenant) ID of the registered application in Microsoft Entra ID

•Login—The ESET Connect API user's email obtained in step one

•Password—The ESET Connect API user's password obtained in step one

•ESET PROTECT instance—The ESET product that Microsoft Sentinel uses to gather detection data; the options are Yes/No. Yes is set by default, but you can change it. You can select more than one ESET product if they are located in the same region.

•ESET Inspect instance—The ESET product that Microsoft Sentinel uses to gather detection data; the options are Yes/No. No is set by default, but you can change it to Yes if you have an ESET Inspect instance and it is located in the same region as your other ESET instances.

•ESET Cloud Office Security instance—The ESET product that Microsoft Sentinel uses to gather detection data; the options are Yes/No. No is set by default, but you can change it to Yes if you have an ESET Cloud Office Security instance and it is located in the same region as your other ESET instances.

•Instance Region—The location of your ESET PROTECT/ESET Inspect/ESET Cloud Office Security instance

•Key Base—This field is pre-defined for you; do not change it.

8.Click Review + create to validate your configuration, then click Create to finalize it.

After configuration and deployment, the new Function App is created. The app pulls detection data from the ESET PROTECT Platform and pushes it to Microsoft Sentinel.

Integration verification

To verify the integration and review the detection logs:

•Go to Azure Portal > Microsoft Sentinel > your Log Analytics workspace > General > Logs.

•Select the table created during deployment. The table stores detections pulled from the ESET PROTECT Platform and their details.

Troubleshooting

If you experience an issue with the integration, reach out to the local Partner in the respective country/region where you purchased your ESET subscription, or the respective ESET office, by opening a support request via the support form.

Ensure to include the required details from the list; they will help the support agent investigate the issue:

•Your ESET Connect API username

•Function App logs from the Invocations tab; navigate to Azure Portal Home > Function App > your created function app > timer_trigger > Invocations > select the required date to see logs.

˄˅