Splunk

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

The added value

Splunk is a unified security and observability platform that enables organizations to monitor and secure their digital environments in real time.

Splunk provides instant search, powerful analytics, and intuitive visualization by ingesting and indexing data across the organization's systems, security infrastructure, applications, and cloud environments. It helps security teams detect issues faster, respond to threats proactively, ensure compliance, and make data-driven decisions.

Integrating the ESET PROTECT Platform with Splunk Enterprise empowers users to efficiently monitor and manage threat detections while enhancing overall organization security. The ESET PROTECT Platform data connector uses ESET Public API to pull detection logs from ESET PROTECT and ESET Inspect into Splunk.

Integration type

•API-based integration

How to enable the integration

Ensure you meet the prerequisites, then follow the installation and configuration steps.

This integration solution is designed for Splunk Enterprise (on-premises). It is not suitable for Splunk Cloud. A cloud-compatible version is in development.

Prerequisites

•You have created the ESET Connect API user account.

•You have created the splunk.com account and installed Splunk Enterprise.

•You have administrator rights in Splunk Enterprise.

Installation steps

You can download the ESET PROTECT Platform integration app installation package directly from Splunk Enterprise:

1.Launch Splunk Enterprise as an administrator.

2.Navigate to Splunk Enterprise home page > Apps > Find more apps.

3.Type ESET into the search bar and click the Search button.

4.On the ESET PROTECT Platform integration app tile, click Install.

5.Log in to the splunk.com account and agree to the terms and conditions to proceed.

6.After installation, the system shows a message about successful app installation.

7.Click Open the app; the ESET PROTECT Platform integration app landing page opens.

Alternatively, you can download the ESET PROTECT Platform integration app installation package from Splunkbase and install it from the downloaded file:

1.Launch Splunk Enterprise as an administrator.

2.Open Splunkbase and log in to the splunk.com account.

3.Download the ESET PROTECT Platform integration app installation package by clicking the Download button; agree to the terms and conditions to proceed.

4.Navigate to Splunk Enterprise home page > Apps > Manage Apps and click Install app from file.

5.On the Upload app page, click Choose file and browse for the ESET PROTECT Platform integration app installation package downloaded in step one. Select the package file.

6.Click Upload without selecting the Upgrade app check box. The Upgrade app check box is needed when you have the app installed and want to upgrade it.

7.After uploading, the system redirects you to the Apps page and shows the message about successful app installation.

8.Find the ESET PROTECT Platform integration app on the Apps page and click Launch app; the ESET PROTECT Platform integration app landing page opens.

Configuration steps

1.From the app landing page, navigate to the Setup page and provide the following details:

•Username—The ESET Connect API user's email

•Password—The ESET Connect API user's password

•Choose a region—The location of your ESET PROTECT/ESET Inspect instance; the options are: CA, DE, EU, JPN, US.

•Use Eset Protect—The ESET product that Splunk uses to pull detections; the options are Yes/No. Set Yes if you have an ESET PROTECT instance.

•Use Eset Inspect—The ESET product that Splunk uses to pull detections; the options are Yes/No. Set Yes if you have an ESET Inspect instance.

ESET PROTECT Platform and Splunk integration configuration

2.Click Save.

3.After configuring the ESET PROTECT Platform integration app, relaunch Splunk Enterprise.

Integration verification

After the integration installation and configuration, navigate to the Eset Detections page to see the ESET PROTECT Platform detection logs pulled via API. The time interval for the app to pull detections is five minutes. On the first run, the app pulls detections that occurred within the last five minutes; older detections are not pulled.

ESET detections displayed in Splunk

Also, you can search the ESET detections on the Search page:

1.Navigate to the Search page.

2.Type index="eset" into the search bar.

3.Select the time period and click Search. The search results are displayed below on the Search page.

Searching for ESET detections on the Search page

To see the running app logs, navigate to Eset Plugin Logs.

Troubleshooting

If you experience an issue with the integration, reach out to the local Partner in the respective country/region where you purchased your ESET subscription, or the respective ESET office, by opening a support request via the support form.

Ensure to include the required details from the list; they will help the support agent investigate the issue:

•Two log files: eset.log and splunkd.log; you can find the files in the directory where the Splunk app is installed: \Splunk\var\log\splunk

•Your machine's operating system

•Your Splunk app version

˄˅