Skip to content

ESET EDR

ESET EDR

About

ESET Enterprise Inspector is a sophisticated EDR tool for identification of anomalous behavior and breaches, risk assessment, incident response, investigations and remediation. It monitors and evaluates all the activities happening in the network (for example user, file, process, registry, memory and network events) in real time and allows immedate action to be taken.

Product Details

Vendor URL: ESET EDR

Product Type: EDR

Product Tier: Tier I

Integration Method: Syslog

Integration URL: ESET EDR

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Syslog and JSON

Expected Normalization Rate: near 100%

Data Label: ESET_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
accountName principal.user.userid
cat metadata.product_event_type
circumstances metadata.description
deviceName target.hostname
deviceName principal.hostname
dst target.ip
dstPort target.port
eiconsolelink metadata.url_back_to_product
engine_version metadata.product_version
event_type metadata.product_event_type
eventDesc metadata.description
eventjson metadata.description
hash target.process.file.sha256
host observer.hostname
hostname principal.hostname
ipv4 principal.ip
objectUri target.url
processName target.process.file.full_path
processname target.process.file.full_path
protocol network.ip_protocol
reason metadata.description
reason security_result.summary
result security_result.category_details
ruleID security_result.summary
rulename security_result.summary
source_address principal.ip
source_port principal.port
source_uuid metadata.product_log_id
src principal.ip
srcPort principal.port
target principal.user.userid
target target.user.userid
target_address target.ip
target_port target.port
threat_name security_result.threat_name
threatName security_result.threat_name
user principal.user.userid
username principal.user.userid
version metadata.product_version

Product Event Types

Event UDM Event Classification Security Category alerting enabled
Detected attack PROCESS_UNCATEGORIZED EXPLOIT TRUE
EnterpriseInspectorAlert_Event PROCESS_UNCATEGORIZED
exploit NETWORK_CONNECTION EXPLOIT
File scanner SCAN_PROCESS SOFTWARE_PUA TRUE
Filtered Website Event NETWORK_CONNECTION
FilteredWebsites_Event NETWORK_CONNECTION
FirewallAggregated_Event NETWORK_CONNECTION
Port Scanning NETWORK_CONNECTION NETWORK_RECON
Threat_Event FILE_UNCATEGORIZED
user login USER_LOGIN
user logout USER_LOGOUT
Web scanner SCAN_PROCESS SOFTWARE_PUA TRUE

Log Sample

<12>1 2021-07-23T18:53:22.858Z sysloghost ERAServer 816 - - LEEF:1.0|ESET|RemoteAdministrator|8.0.1258.0|Filtered Website Event|cat=ESET FilteredWebsite Eventsev=5devTime=Jul 23 2021 18:53:02 GMTdevTimeFormat=MMM dd yyyy HH:mm:ss zsrc=10.10.10.151deviceName=deviceDesc=An attempt to connect to URLdst=10.173.96.182targetAddressType=IPv4cannerID=HTTP filteractionTaken=blockedobjectUri=uriaccountName=LOCAL\userprocessName=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.xeruleID=Website certificate revoked

Sample Parsing

metadata.event_timestamp = "2021-07-23T18:53:22.858Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "ESET"
metadata.product_name = "EDR"
metadata.product_version = "8.0.1258.0"
metadata.product_event_type = "ESET Filtered Website Event"
metadata.description = "An attempt to connect to URL"
metadata.ingested_timestamp = "2021-07-23T18:53:43.602433Z"
principal.hostname = "host"
principal.user.userid = "LOCAL\user"
principal.ip = "10.10.10.151"
target.process.file.sha256 = "sha256"
target.process.file.full_path = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
target.ip = "10.173.96.182"
target.url = "uri"
observer.hostname = "sysloghost"
security_result.category = "POLICY_VIOLATION"
security_result.summary = "Website certificate revoked"
security_result.action = "BLOCK"
extensions.auth.type = "MACHINE"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.

Rules

Coming Soon