Prerequisites:
ESET PROTECT installed
Microsoft Sentinel
A Linux server
Deploy ESET PROTECT integration to Microsoft Sentinel
Navigate to Microsoft Sentinel > Content Hub
Search for ESET PROTECT
Select the ESET PROTECT integration by Cyber Defense Group B.V.
Click on “install”
Click “create” in the next window:
Select the appropriate Log Analytics workspace to deploy the integration to and click “review + create”
After the validation has passed, click “create” to start the deployment.
Configure ESET PROTECT to send events to Microsoft Sentinel
Install OMS-Agent
After deploying the solution you can find the “ESET PROTECT (Preview) Data Connector” in the Data connectors section:
After opening the connector page, you will find the instructions to install the Log Analytics agent, because Syslog is only collected by the Linux agent, you will have to install the agent on a linux machine. (for example, the ESET PROTECT Server)
Download & install the agent using the command provided:
After installing the agent the Agents management overview should report that 1 Linux computer is connected:
Configure OMS-Agent to collect syslog data
Open the Log Analytics workspace
navigate to “Legacy Agent Management” > Syslog
Click on “add facility”
select the facility name “user”
save the changes by clicking “apply”
Note: If you installed the OMS-agent on a different computer, you will need to do some additional config because the OMS agent only listens on 127.0.0.1 by default.
change the bind adress in the following file/etc/opt/microsoft/omsagent/conf/omsagent.d/syslog.confrestart the agent
/opt/microsoft/omsagent/bin/service_control restart
Configure ESET PROTECT to export syslog data to the OMS Agent.
Login to ESET PROTECT
Navigate to more > Admin > Settings
Configure the syslog settings based on the screenshot below:
All ESET PROTECT event data should now be sent to Sentinel, you can generate some audit events by logging out and back in to ESET PROTECT for example. confirm that the events reached Sentinel by running the following query:
Alternatively you can open the workbook that was created after deploying the solution:
Enable analytics rules to create incidents from ESET detections
Navigate to Microsoft Sentinel > Configuration > Analytics
Select the 2 ESET analytic rules
Click “Enable”
Triggering threat detections will now create an incident:
Add a comment
Please log in or register to submit a comment.