Select the tab
ESET Connect – Table of Contents

Wazuh

The added value

Integration of the ESET PROTECT Platform and Wazuh enables users to ingest the detection data from ESET PROTECT, ESET Inspect and ESET Cloud Office Security to the Wazuh instance. The detection data is pulled from the ESET Public API with the time interval specified by the user and saved into a log file on the Wazuh side.

Integration type

API-based integration

How to enable the integration

The ESET PROTECT Platform and Wazuh integration must be set up on your Wazuh machine.

Prerequisites

The ESET Connect API user account must be created.

Wazuh must be installed with the following components: Wazuh manager, Wazuh indexer and Wazuh dashboard.

Docker must be installed on the Wazuh machine.

Docker Compose must be installed on the Wazuh machine.

Note

The ESET PROTECT Platform and Wazuh integration solution was prepared and tested using the Virtual Machine OVA with Wazuh 4.10.1.
arrow_down_businessDocker installation for Virtual Machine OVA with Wazuh 4.10.1
arrow_down_businessDocker Compose installation for Virtual Machine OVA with Wazuh 4.10.1

Integration configuration steps

Note

The ESET PROTECT Platform and Wazuh integration app is available for download on GitHub.

1.Log in to the server console where Wazuh is running and download the ESET PROTECT Platform and Wazuh integration app using the command below; sudo privileges are required. Currently, the ESET PROTECT Platform and Wazuh integration app version 1.0.1 is available.

2.Copy the eset_local_rules.xml file to the /var/ossec/etc/rules folder. The file contains custom rules for Wazuh to identify the ESET detections. Wazuh uses the MITRE ATT&CK framework to detect, analyze, and respond to cyber threats by mapping security events to known attack techniques. Custom rules from the eset_local_rules.xml file enable Wazuh to interpret the ESET detections and map most of them to MITRE categories. Additionally, the eset_local_rules.xml file contains rules that help Wazuh interpret those ESET detections that are not mapped to MITRE.

3.Create the /var/log/eset_integration.log file that will store the ESET detections pulled by the ESET PROTECT Platform and Wazuh integration app.

4.Set up Wazuh to read logs saved in /var/log/eset_integration.log. Edit the /var/ossec/etc/ossec.conf file and add the /var/log/eset_integration.log path within the <ossec_config> tag under other local files configuration, as in the example below, and save the changes.

To edit the /var/ossec/etc/ossec.conf file, use an editor of your preference. In the following example, the nano text editor is used:

5.Restart the server using the command below to apply the changes made in step 4:

6.Create the .env file in the integration app folder, /var/ossec/integrations/ESET-Integration-Wazuh, or set the required variables in the environment:

EP_INSTANCE—The ESET product that Wazuh uses to pull detections. The options are Yes/No; set Yes if you have an ESET PROTECT instance.

EI_INSTANCE—The ESET product that Wazuh uses to pull detections. The options are Yes/No; set Yes if you have an ESET Inspect instance.

ECOS_INSTANCE—The ESET product that Wazuh uses to pull detection. The options are Yes/No; set Yes if you have an ESET Cloud Office Security instance.

INTERVAL—The time interval (in minutes) for the app to run and pull detections, minimum 3. On the first and subsequent runs, until at least one detection record is pulled and saved, the ESET PROTECT Platform and Wazuh integration app retrieves the data whose occur time is later than the current time minus the specified time interval. For example, if the interval is set to 10, the app fetches the data from the past 10 minutes. When at least one detection record is pulled and saved, on the subsequent run, the app will pull detections whose occur time is later than the occur time of the most recently saved detection record.

INSTANCE_REGION—The location of your ESET PROTECT/ESET Inspect/ESET Cloud Office Security instance. The options are: ca, de, eu, jpn, us.

USERNAME_INTEGRATION—The ESET Connect API user login username.

PASSWORD_INTEGRATION—The ESET Connect API user password.

To create the .env file in the /var/ossec/integrations/ESET-Integration-Wazuh folder, use the following command:

To edit the .env file, use an editor of your preference. In the following example, the nano text editor is used:

Below is the example of the load to the .env file:

7.Build and run the ESET PROTECT Platform and Wazuh integration app using the Docker Compose command:

Note

To prevent storage overload, moving the log data to an archive and cleaning up the eset_integration.log file or any other method of data retention and management is recommended.

Integration verification

When the integration is configured, you can see the logs of the running app.

1.Use the following command to show all the running containers. Find the ESET PROTECT Platform and Wazuh integration app container and copy its name:

2.Use the following command to show the logs of the running ESET PROTECT Platform and Wazuh integration app; paste the container name copied in the previous step:

Additionally, you can see the most recently pulled ESET detections in the eset_integration.log file by running the following command:

Alternatively, you can see the most recently pulled ESET detections in the Wazuh dashboard, which enables you to filter out the ESET logs.

1.In the Wazuh dashboard, click Add filter.

2.Edit the filter by setting the values:

Fieldrule.groups

Operatoris

Valueeset

3.Click Save.

Filtering for ESET detection logs in the Wazuh dashboard