Detections

ESET Enterprise Inspector includes rule-based detection engine for Indicators of Attack.

Rules that are written to identify suspicious, malicious behavior trigger detections with defined severity. Each triggered detection is displayed in the detection section with clear identification of where it happened (Computer), which executable has triggered it, even which particular process triggered it. It is accompanied by severity information as defined in the rule and assigns a priority to each of the detections (later available as a filtering option). Detections are also 1:1 shown in the “threats” section of ESET PROTECT under a specific log type labeled “Enterprise Inspector”. When detection is resolved from ESET Enterprise Inspector/ESET PROTECT, it is also resolved in the other system (the systems are synchronized).

Detections view allows advanced grouping and filtering by any column in the view. It is also possible to save filter sets per user preference. The user can drill down into details of every detection, where further details about the executable/process/user, computer, and explanation of possible cause, with suggested next steps, are displayed. The user can navigate to details of the executable/process/rule from detections and continue the further investigation. Detection detail layout is similar to the design language used in the ESET PROTECT, focusing on easy readability.

 

There are filter options that you can use to filter the detections by:

1.Source of Detections

2.Severity

3.Priority

4.Tags

5.Additional filters

By clicking on the type of detection (Rule, Blocked File, Antivirus...) you are redirected to Detection details.

The following types of detection details are:

Firewall

HIPS

Filtered Websites

Antivirus

Rule

Blocked Executable

 

Right-click detection name or left click anywhere else on the row, brings up a context menu with the following options:

Toggle Group—not available if ungrouped is selected. Expand or contract the group

Details—based on grouping user is redirected to the specific details view

Details (New Tab)—redirect to detections detail in a new tab

Mark as Resolved—marks the detection as Resolved

Mark as Unresolved—marks the detection as Unresolved

Mark as No Priority—marks the detection as No Priority

Mark as Priority I—marks the detection as Priority I

Mark as Priority II—marks the detection as Priority II

Mark as Priority III—marks the detection as Priority III

Create Exclusion—you can create an exclusion task for selected rule/s. You are redirected to the Create Rule Exclusion section

Edit Rule—redirected to the Edit Rule section if the detection was raised by a rule

Open Computer—opens Computer Details of the Computer on which the detection was triggered

Open Process—if the detection was triggered by Rule, redirect to Process Details of the process that caused the detection

Open Parent Process—if the detection has a parent process, it redirects you to the Process Details of that parent process

Add Comment—the user can put his comments for this detection

Tags—used to tag the computer. After choosing this option, a new window for tag edition opens. In the Select field, you can type a new tag or select an already existing one. You can also use the button at the bottom of the screen to show the list of assigned tags

Display Absolute/Relative Time—absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months in relation to present time, like "15 minutes ago" or "6 days ago"

Filter—you can find these quick filters, depending on the column:

oShow only this—Shows only records, based on this particular value

oHide this—Hides all records based on this particular value

oShow before—shows only records that are before this value (for example, time)

oShow after—shows only records that are after this value (for example, time)

oShow lower—Shows only records, which value is lower than this particular one

oShow higher—Shows only records, which value is higher than this particular one

Detection Groups

Ungrouped—this is the default view. When you open the Detections tab for the first time,  you see each detection separately.

Types—in this filter, detections are grouped based on detection type (trigger was a rule or a file blocked based on a hash, etc..).

Computers—Detections grouped by a computer on which they occurred.

Rules—grouped by rules that raised detections.

Processes—grouped by processes that raised detections.

Executables—grouped by executables that raised detections.

Uniqueness—grouped by the uniqueness of the detection type.

Severity

There are three types of severity:

Threat Alarm_Severity_Threat

Warning Alarm_Severity_Warning

Info Alarm_Severity_Info

All three types are customizable through Detection Rules in the Admin tab, but only regarding rules created by EEI Administrator.

 

Priority

There are four types of priorities:

No Priority

Priority 1

Priority 2

Priority 3

Set desired priority by clicking Mark as priority if at least one detection (or grouped detections) is selected via the check box on the left side of detection.

Alternatively, click a detection. In the context menu, select Details or Details (New Tab), click Mark as priority, select a priority.

If the type of detection is the rule and you select the check box next to the detection, you can use the EDIT RULE button or through the context menu by left-clicking and choose Edit Rule to get to the Edit Rule section. If you select one or more detections, you can also use the CREATE EXCLUSION button or through the context menu by left-clicking and choose Create Exclusion to get to the Create Exclusion section.

Tags

Tagging is an additional form of filtering that can connect multiple objects through multiple views (computer, executable, event filter, etc.). If available, the tag icon Tag_Panel is on the left side, next to the name of the view. In the Computers view, the tag panel can be accessed by clicking the Three_dots icon. In the opened tag panel, all created tags are listed and ready to use. If the list of tags is already too long, you can use the magnifying glass to search for a specific tag. At the top of the screen, the TAGS selector can be used to select the desired tags. If available, the user can use also TAGS button located at the bottom of the screen among action buttons.

Additional filters

The additional filters are accessible by clicking the ADD FILTER button or clicking on a space next to the add filter button, where the list of available filters shows. The user can search filter by typing its name or selecting from the list. For the definitions of the additional filters, follow here.

Some of the filters have a funnel icon next to them with two or four possible predefined options:

Unknown—the value in the filtered column is not available (probably not a known value at the time of occurrence)

Known—the value is available

None—value is an empty string

Any—the value is not empty. The negation of None filter

If present on the screen you, can refresh the table by clicking the refresh iconAlarms_Refresh. If available, the export icon Export_CSV can be used to export the table grid to CSV format and use it in other applications to work with the list.

If present, click the PRESETS button to manage filter sets. These options are available:

Save filters—allows you to save the actual filter set. Select the check box Include the visible columns and sorting to save also this setting of your selection, otherwise when loading saved filter without this option selected will end up by showing you the default column setting

Reset filters—resets active filter and return to default filter setting with default column setting

Reset view—resets the active view without resetting the filter set

Manage—allows you to manage your filter sets

Save Filters as Rule—if available, allows you to save the filter as a rule. You can find it then in the list of rules under the Detection rules sub-tab of the admin tab

Columns

Columns can be reorganized by using the Columns_Move icon that appears on the right side of the column name when you hover the mouse over the column name.

The width of the column can be re-sized by the Column_Resize icon that appears on the left side of the column name when you hover the mouse over the column name.

The order of the columns can be organized by clicking the name of the column:

Default (No icon)

Ascending Column_Ascending

Descending Column_Descending

You can change which columns are displayed after clicking the gear icon and selecting the Select column option, or you can reset the view to default by clicking the Reset columns option. You can use Enter quick search pattern—here, you can search for the column by typing its name or a couple of letters from it. Useful if the list of columns is long. For the definitions of the columns follow here.

At the bottom of the page, there are several action buttons available.