What Changed

A new CCF-based connector (ESETConnectConnector) is introduced alongside an updated KQL parser that now unions the legacy IntegrationTable_CL (Function App) and the new IntegrationTableV2_CL (CCF) tables, enabling downstream content to work regardless of which connector is deployed.

Data Source

The connector ingests from the ESET Connect REST API, covering three ESET product lines:

  • ESET PROTECT (EP) – endpoint detections via /v1/detections to IntegrationTableV2_CL
  • ESET Inspect (EI) – endpoint detections via /v1/detections + incident data via /v2/incidents to IntegrationTableV2_CL and IntegrationTableIncidentsV2_CL
  • ESET Cloud Office Security (ECOS) – email security detections via /v2/detections to IntegrationTableV2_CL (Japan region excluded)

Ingestion Mechanism

CCF (Codeless Connector Framework) with username/password auth against the ESET Connect API. DCR-backed ingestion to three custom tables: IntegrationTableV2_CL, IntegrationTableIncidentsV2_CL, and ESETInspectV2_CL. The legacy Function App connector remains supported.

Parser Impact

The ESETProtectPlatform workspace function (v1.1.0) is updated to union IntegrationTable_CL and IntegrationTableV2_CL using isfuzzy=true, with column_ifexists() wrappers on all field references to handle schema differences between the two table shapes (PascalCase in CCF vs. camelCase in legacy).

Existing detections and hunting queries referencing ESETProtectPlatform() will continue to work without modification. New CCF deployments populate the V2 tables; the parser surfaces both transparently.

Detection Surface Unlocked

With the new CCF connector, the following attacker activity becomes observable:

  • Malware execution and endpoint compromise (ESET PROTECT detections)
  • Process-level behavioral detections and incident correlation (ESET Inspect)
  • Phishing and malicious email delivery targeting Office 365 mailboxes (ESET Cloud Office Security)

MITRE Coverage

MITRE techniques not determinable from this PR – no YAML analytics diff included. Check bundled Analytic Rules for mapped techniques.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/IntegrationTableV2_CL.json
Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_CCF/ESETProtectPlatform_ConnectorDefinition.json
Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_CCF/ESETProtectPlatform_DCR.json
Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_CCF/ESETProtectPlatform_PollerConfig.json
Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_CCF/table_ESETInspectV2.json
Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_CCF/table_IntegrationTableIncidentsV2.json
Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_CCF/table_IntegrationTableV2.json
Solutions/ESET Protect Platform/Package/testParameters.json
Solutions/ESET Protect Platform/Parsers/ESETProtectPlatform.yaml
(packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_ESETProtectPlatform.json, createUiDefinition.json, mainTemplate.json)