Azure · v-prasadboke · Feb 7, 2025 · Jan 31, 2025 · Feb 3, 2025 · Feb 3, 2025
@@ -74,7 +74,7 @@
         },
         {
             "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template",
-            "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**."
+            "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.\n\n5. Select one or more ESET products (ESET PROTECT, ESET Inspect, ESET Cloud Office Security) from which detections are retrieved."
         }
     ]
 }
@@ -87,6 +87,30 @@
                 "description": "The ESET Connect API user account password."
             }
         },
+        "ESET PROTECT instance": {
+            "type": "string",
+            "defaultValue": "yes",
+            "allowedValues": ["yes", "no"],
+            "metadata": {
+                "description": "The ESET product from which detections are pulled. Set to 'yes' to pull ESET PROTECT detections. It is allowed to pick more than one ESET product if they are located in the same region."
+            }
+        },
+        "ESET Inspect instance": {
+            "type": "string",
+            "defaultValue": "no",
+            "allowedValues": ["yes", "no"],
+            "metadata": {
+                "description": "The ESET product from which detections are pulled. Set to 'yes' to pull ESET Inspect detections. It is allowed to pick more than one ESET product if they are located in the same region."
+            }
+        },
+        "ESET Cloud Office Security instance": {
+            "type": "string",
+            "defaultValue": "no",
+            "allowedValues": ["yes", "no"],
+            "metadata": {
+                "description": "The ESET product from which detections are pulled. Set to 'yes' to pull ESET Cloud Office Security detections. It is allowed to pick more than one ESET product if they are located in the same region."
+            }
+        },
         "instanceRegion": {
             "type": "string",
             "defaultValue": "eu",
@@ -98,7 +122,7 @@
                 "de"
             ],
             "metadata": {
-                "description": "The region where your ESET Protect/Inspect/ECOS instance is running."
+                "description": "The region where your ESET PROTECT/Inspect/ECOS instance is running."
             }
         },
         "keyBase": {
@@ -436,7 +460,7 @@
 				"principalType": "ServicePrincipal"
 			},
             "dependsOn": ["[variables('dataCollectionRuleId')]"]
-        }, 
+        },
         {
             "apiVersion": "2022-03-01",
             "name": "[variables('applicationName')]",
@@ -477,35 +501,35 @@
                         {
                             "name": "WEBSITE_CONTENTSHARE",
                             "value": "[toLower(variables('contentShare'))]"
-                        }, 
+                        },
                         {
                             "name": "WEBSITE_RUN_FROM_PACKAGE",
                             "value": "https://aka.ms/sentinel-EsetProtectionPlatform-FunctionApp"
-                        }, 
+                        },
                         {
                             "name": "ENDPOINT_URI",
                             "value": "[reference(variables('dataCollectionEndpointId'), '2021-04-01').logsIngestion.endpoint]"
-                        }, 
+                        },
                         {
                             "name": "DCR_IMMUTABLEID",
                             "value": "[reference(variables('dataCollectionRuleId'), '2023-03-11').immutableId]"
-                        }, 
+                        },
                         {
                             "name": "STREAM_NAME",
                             "value": "[variables('customTableName')]"
-                        }, 
+                        },
                         {
                             "name": "AZURE_CLIENT_ID",
                             "value": "[parameters('azureClientID')]"
                         },
                         {
                             "name": "AZURE_CLIENT_SECRET",
                             "value": "[parameters('azureClientSecret')]"
-                        }, 
+                        },
                         {
                             "name": "AZURE_TENANT_ID",
                             "value": "[parameters('azureTenantID')]"
-                        }, 
+                        },
                                                 {
                             "name": "PASSWORD_INTEGRATION",
                             "value": "[parameters('password')]"
@@ -514,6 +538,18 @@
                             "name": "USERNAME_INTEGRATION",
                             "value": "[parameters('login')]"
                         },
+                        {
+                            "name": "EP_INSTANCE",
+                            "value": "[parameters('ESET PROTECT instance')]"
+                        },
+                        {
+                            "name": "EI_INSTANCE",
+                            "value": "[parameters('ESET Inspect instance')]"
+                        },
+                        {
+                            "name": "ECOS_INSTANCE",
+                            "value": "[parameters('ESET Cloud Office Security instance')]"
+                        },
                         {
                             "name": "INTERVAL",
                             "value": "[parameters('applicationRunInterval')]"

@@ -7,12 +7,7 @@
 from aiohttp import ClientSession
 
 from integration.models import Config, EnvVariables, TokenStorage
-from integration.utils import (
-    LastDetectionTimeHandler,
-    RequestSender,
-    TokenProvider,
-    TransformerDetections,
-)
+from integration.utils import LastDetectionTimeHandler, RequestSender, TokenProvider, TransformerDetections
 
 
 class ServiceClient:
@@ -34,23 +29,46 @@ async def run(self) -> None:
         start_time = time.time()
         try:
             await asyncio.gather(
-                self._process_integration("EI", start_time), self._process_integration("ECOS", start_time)
+                self._process_integration("EP", start_time),
+                self._process_integration("EI", start_time),
+                self._process_integration("ECOS", start_time),
             )
         except Exception as e:
             logging.error("Unexpected error happened", exc_info=e)
             raise e
         finally:
             await self.close()
 
+    def _validate_if_run_instance(self, data_source: str) -> bool:
+        if data_source == "EP" and self.env_vars.ep_instance == "yes" and self.env_vars.ei_instance == "no":
+            return True
+        if data_source == "EI" and self.env_vars.ei_instance == "yes":
+            return True
+        if data_source == "ECOS" and self.env_vars.ecos_instance == "yes":
+            return True
+        if data_source != "EP" and all(
+            v == "" for v in [self.env_vars.ep_instance, self.env_vars.ei_instance, self.env_vars.ecos_instance]
+        ):
+            self.config.version = "3.0.0"
+            return True
+        return False
+
     async def _process_integration(self, data_source: str, start_time: float) -> None:
+        if not self._validate_if_run_instance(data_source):
+            return
+
         last_detection_time_handler = LastDetectionTimeHandler(
             self.env_vars.conn_str, self.env_vars.last_detection_time, data_source=data_source
         )
         next_page_token: str | None = None
         cur_ld_time: str | None = None
-        max_duration = self.env_vars.interval * 60
+        max_duration: int = self.env_vars.interval * 60
 
-        if data_source == "EI" and not last_detection_time_handler.storage_table_handler.entities:
+        if (
+            self.config.version == "3.0.0"
+            and data_source == "EI"
+            and not last_detection_time_handler.storage_table_handler.entities
+        ):
             data_source, last_detection_time_handler = await self._check_if_ei_is_right_data_source(
                 last_detection_time_handler, next_page_token
             )
@@ -123,6 +141,7 @@ async def _call_service(
                         "Authorization": f"Bearer {self.token_provider.token.access_token}",
                         "Content-Type": "application/json",
                         "3rd-integration": "MS-Sentinel",
+                        "Version": self.config.version,
                     },
                     last_detection_time_handler.last_detection_time,
                     next_page_token,

@@ -55,6 +55,7 @@ def __init__(self) -> None:
             self.requests_timeout = config.get("requests_timeout")
             self.buffer: int = config.get("buffer")  # type: ignore
             self.data_sources: dict[str, t.Any] = config.get("data_sources")  # type: ignore
+            self.version: str = config.get("version")  # type: ignore
 
     def get_config_params(self) -> dict[str, t.Any] | t.Any:
         try:
@@ -78,14 +79,15 @@ def __init__(self) -> None:
         self.endpoint_uri: str = os.getenv("ENDPOINT_URI", "")
         self.dcr_immutableid: str = os.getenv("DCR_IMMUTABLEID", "")
         self.stream_name: str = os.getenv("STREAM_NAME", "")
+        self.ep_instance: str = os.getenv("EP_INSTANCE", "")
+        self.ei_instance: str = os.getenv("EI_INSTANCE", "")
+        self.ecos_instance: str = os.getenv("ECOS_INSTANCE", "")
         self.__conn_str: str = os.getenv("WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", "")
         self.__key_base64: str = os.getenv("KEY_BASE64", "")
 
         region = os.getenv("INSTANCE_REGION", "eu")
         self.oauth_url: str = f"https://{region}.business-account.iam.eset.systems"
-        self.detections_url: str = (
-            f"https://{region}.incident-management.eset.systems"
-        )
+        self.detections_url: str = f"https://{region}.incident-management.eset.systems"
 
     @property
     def username(self) -> str | None:

@@ -51,6 +51,9 @@ async def send_request(
                 return await send_request_fun(session, headers, *data)
 
             except ClientResponseError as e:
+                if e.headers:
+                    logging.info(f"Request-ID: {e.headers.get('Request-ID')}")
+
                 if e.status in [400, 401, 403]:
                     raise AuthenticationException(status=e.status, message=e.message)
                 if e.status == 404:

@@ -10,7 +10,7 @@
       "Parsers/ESETProtectPlatform.yaml"
     ],
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ESET Protect Platform",
-    "Version": "1.0.0",
+    "Version": "3.1.0",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true,
     "Is1Pconnector": false

@@ -31,7 +31,7 @@
   },
   "variables": {
     "_solutionName": "ESET Protect Platform",
-    "_solutionVersion": "3.0.0",
+    "_solutionVersion": "3.1.0",
     "solutionId": "eset.eset-protect-platform-solution",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "ESETProtectPlatform",
@@ -62,7 +62,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ESET Protect Platform data connector with template version 3.0.0",
+        "description": "ESET Protect Platform data connector with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -163,7 +163,7 @@
                       "title": "Step 2 -  Create a registered application"
                     },
                     {
-                      "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.",
+                      "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.\n\n5. Select one or more ESET products (ESET PROTECT, ESET Inspect, ESET Cloud Office Security) from which detections are retrieved.",
                       "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template"
                     }
                   ]
@@ -332,7 +332,7 @@
               "title": "Step 2 -  Create a registered application"
             },
             {
-              "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.",
+              "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.\n\n5. Select one or more ESET products (ESET PROTECT, ESET Inspect, ESET Cloud Office Security) from which detections are retrieved.",
               "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template"
             }
           ],
@@ -349,7 +349,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ESETProtectPlatform Data Parser with template version 3.0.0",
+        "description": "ESETProtectPlatform Data Parser with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -475,7 +475,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.0",
+        "version": "3.1.0",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "ESET Protect Platform",
@@ -517,7 +517,7 @@
           ]
         },
         "firstPublishDate": "2024-10-29",
-        "lastPublishDate": "2024-11-08",
+        "lastPublishDate": "2024-01-31",
         "providers": [
           "ESET Enterprise Integrations"
         ],

@@ -1,3 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
+| 3.1.0       | 06-02-2025                     | Updated **Data Connector** FunctionApp code to work with old param and new       |
 | 3.0.0       | 04-11-2024                     | Initial Solution Release       |
@@ -2,7 +2,7 @@
 	"publisherId": "eset",
 	"offerId": "eset-protect-platform-solution",
 	"firstPublishDate": "2024-10-29",
-	"lastPublishDate": "2024-11-08",
+	"lastPublishDate": "2024-01-31",
 	"providers": ["ESET Enterprise Integrations"],
 	"categories": {
 		"domains" : ["Security - Automation (SOAR)", "Security - Threat Protection"]