About data visualization and Splunk apps
The best method to explain the significance of information is to display it in a visual context.
Recently we have created an add-on for our SIEM Splunk to make data flow from Eset Remote Administrator antivirus more optimized and readable. And now it’s time to visualize data from this source.
To resolve this issue our team of engineers created an application for Splunk. In general, application for SIEM provides data visualization by using statistic tables, pie and column charts, gauges, maps and other visualizations.
Shortly about app
This Splunk Application for Eset Remote Administrator can help you detect new threats faster than doing it manually because all the data will be already visualized.
This App provides visualized information about the last activity of computers, detailed statistics about threats, firewall and HIPS events and generates short reports.
Also, App provides functionality for administrators, such as Audit events about Eset Admin Panel usage.
As a bonus, App provides “Requirements check” to check the availability of all dependencies.

On every item, you can see the name and the short description of provided value.
Count of all events – count of all events by a selected time range.
Count of reporting hosts – a count of the unique hostnames by a selected time range (it’s not the counting of all computers, that you can see in admin web panel, but just a count of the hostnames.
Server log queue for today – visual statistic by the count of events for every hour using the line chart.
Severities – statistic by severities by selected time range (Critical, Error, Informational, Warning or Fatal).
Event types – visual statistic by event types (Threat Event, Firewall Aggregated Event, Audit Event or HIPS Aggregated Events).
Threats – very useful statistic. They display the count of all threats, detected in your network, and display their threat type(trojan, worm, potentially unwanted application etc.)
Time range you can select at the top of the Dashboards page using Time range selector.
By default on the Dashboard page, you can see the statistic for Today.
Computers
Computers status section

Threats
This is the most informational part of App for Eset Remote Administrator.
This section consists of Threat Events – Detailed Statistic, Threat Events – Statistic by hostnames, Threat Events – Statistic by threat names, Firewall Aggregated Events and HIPS Aggregated events subsection.
Subsections with prefix “Threat Events” provide information about all the detected threat events. The main and the most informative subsection is Threat Events – Detailed Statistic, but if you need more detailed information, you can visit second and third subsections – Threat Events – Statistic by hostnames and Threat Events – Statistic by threat names.
To get information about Firewall or HIPS events (only if your ERA instance provide this) you should visit Firewall Aggregated Events and HIPS Aggregated Events dashboards.
Threat Events – Detailed Statistic

You can view info for a specific hostname by using Hostname drop-down.
In case if your Eset Remote Administrator logs are located in the non-default index, you can add search query “index=your_index” in Root search text input (by default only source type defined).
Using Time range selector, you can specify the time range.
Threat Events – Statistic by hostnames

Here are displayed names of detected threats for every hostname. It may be useful if you want to see the situation about threats in general for each computer.
Threat Events – Statistic by threat names

Here are displayed names of computers, infected by specific threat name. For example, to see all infected by JS/CoinMiner. A computer, this table will help you to do it.
Firewall Aggregated Events

So in this table, you may see Event(network threat), Hostname, Attack Direction(Source address -> Target address) and Time. Don`t look at the small amount of Paint in the screenshot, it`s sensitive information there.
HIPS Aggregated Events
HIPS (Host-based Intrusion Prevention System) provides detection and prevention of unwanted behavior from applications.
This table displays events from Host-based Intrusion Prevention System and provides information about Application, Operation, Action, Target, Rule name, Rule id, and Aggregate count.
Report
This section provides reports about Eset Remote Administrator usage and general short data statistic for events.
Admin panel login attempts

Admin
This section provides information for administrators about this app and about Admin Panel audit events.
App requirements check

Summary
In this article, we described the usage of Splunk Application for Eset Remote Administrator. Also, this article provides the detailed description for every dashboard and usable functions to help you save your time and improve your investigation process.
Big thanks to Splunk for the great resources they provide. Special thanks to portal answers.splunk.com for answering the questions.
Keep your data safe! See you soon. Your UnderDefense team.
Links
App on Splunkbase: https://splunkbase.splunk.com/app/3931/
Our GitHub repository: https://github.com/UnderDefense/Splunk_App_Eset_RA
Get the Help You Need
Cybersecurity is our core expertise. Let’s get in touch and you will learn more about how UnderDefense can benefit your organization
Next Readers
How does it feel to discover a Zero-day Vulnerability at 21?
Mykhailo Dovhanych, 21, our Pentester has become a local celebrity. He made the digital world a bit safer by discovering a Zero-day vulnerability and getting his first CVE. We asked him a couple of questions to learn more about this exciting story: UnderDefense: What...
SOC 2 Budget Breakdown: How Much Does SOC 2 Cost in 2023?
In a Nutshell SOC 2 Type I and Type II Certification Cost Comparison SOC 2 Type II Cost SOC 2 Type I Cost SOC 2 Certification Cost Breakdown Stage 1. Pre-Assessment Pre-Assessment Supervision SOC 2 Policies Software Licenses and Installations Penetration Test...
UnderDefense reaches the mark of 100 employees
Reaching 100 employees is no small feat and we are thrilled to announce that Underdefense has done just that! We are so proud of the team we've built who are committed to providing top-notch cybersecurity services. If everyone is moving forward together, then success...