Detections Rules
Rules are the behavior- and reputation-based descriptions that EEI can identify from the received events and metadata.
Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that cannot be modified by security engineers.
A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising the detection.
The detection is displayed in Detections view but it is also exported to ESET PROTECT and from there eventually to a connected SIEM tool or an email can be automatically sent when the detection is triggered using ESET PROTECT notification mechanism.
Based on the result of the investigation the security engineer can perform a manual remediation action.
In the future, with improvements of ESET PROTECT Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.
Right-click detection name or left click anywhere else on the row to bring up a context menu with the following options:
•Details—Redirect to Rule Details
•Details (New Tab)—Redirect to rule details in a new tab
•Edit—Redirect to Edit Rule section if the detection was raised by a rule
•Edit (New Tab)—Redirect to Edit Rule section if the detection was raised by a rule, but in new tab
•Rerun Tasks—Redirect to the Rerun Tasks view of the particular rule
•Exclusions—Redirect to the Exlusions view of the particular rule
•Detections—Redirect to the Detections view of the particular rule
•Enable—Enables the rule
•Disable—Disables the rule
•Delete—Deletes the rule
•Save As—Creates a new rule with the desired name and opens rule editor
•Create Exclusion—You can create an exclusion task for the selected rule(s). You are redirected to the Create Rule Exclusion section
•Display Absolute/Relative Time—Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months in relation to present time, like "15 minutes ago" or "6 days ago"
•Filter—you can find these quick filters, depending on the column:
oShow only this—Shows only records, based on this particular value
oHide this—Hides all records based on this particular value
oShow before—shows only records that are before this value (for example, time)
oShow after—shows only records that are after this value (for example, time)
oShow lower—Shows only records, which value is lower than this particular one
oShow higher—Shows only records, which value is higher than this particular one
Note Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for the investigation of an incident and can often be triggered by legitimate behavior. In case that some of these rules generate too much traffic in your environment, you may consider turning them off. |
Tags
Tagging is an additional form of filtering that can connect multiple objects through multiple views (computer, executable, event filter, etc.). If available, the tag icon is on the left side, next to the name of the view. In the Computers view, the tag panel can be accessed by clicking the
icon. In the opened tag panel, all created tags are listed and ready to use. If the list of tags is already too long, you can use the magnifying glass to search for a specific tag. At the top of the screen, the TAGS selector can be used to select the desired tags. If available, the user can use also TAGS button located at the bottom of the screen among action buttons.
Additional filters
The additional filters are accessible by clicking the ADD FILTER button or clicking on a space next to the add filter button, where the list of available filters shows. The user can search filter by typing its name or selecting from the list. For the definitions of the additional filters, follow here.
Some of the filters have a funnel icon next to them with two or four possible predefined options:
•Unknown—the value in the filtered column is not available (probably not a known value at the time of occurrence)
•Known—the value is available
•None—value is an empty string
•Any—the value is not empty. The negation of None filter
If present on the screen you, can refresh the table by clicking the refresh icon. If available, the export icon
can be used to export the table grid to CSV format and use it in other applications to work with the list.
If present, click the PRESETS button to manage filter sets. These options are available:
•Save filters—allows you to save the actual filter set. Select the check box Include the visible columns and sorting to save also this setting of your selection, otherwise when loading saved filter without this option selected will end up by showing you the default column setting
•Reset filters—resets active filter and return to default filter setting with default column setting
•Reset view—resets the active view without resetting the filter set
•Manage—allows you to manage your filter sets
•Save Filters as Rule—if available, allows you to save the filter as a rule. You can find it then in the list of rules under the Detection rules sub-tab of the admin tab
Columns
Columns can be reorganized by using the icon that appears on the right side of the column name when you hover the mouse over the column name.
The width of the column can be re-sized by the icon that appears on the left side of the column name when you hover the mouse over the column name.
The order of the columns can be organized by clicking the name of the column:
•Default (No icon)
•Ascending
•Descending
You can change which columns are displayed after clicking the gear icon and selecting the Select column option, or you can reset the view to default by clicking the Reset columns option. You can use Enter quick search pattern—here, you can search for the column by typing its name or a couple of letters from it. Useful if the list of columns is long. For the definitions of the columns follow here.
You can select all the rules by selecting the check box on the left side of the Rule Name column header, or you can select each rule individually by clicking its corresponding check box.
When a rule or multiple rules are checked (selected), there are these possible actions to make, accessible through buttons at the bottom of the window:
—You are redirected to the Edit rule window
—Enable selected rule/rules
—Disable selected rule/rules
—Delete selected rule/rules
—Saves the rule under the new name and goes to Edit Rule
—Redirects you to Create Exclusion window
—Redirects you to Create rerun task window
—Starts the export process of the rule, depending on the used web browser. The format of the file is XML
—Opens the window for import the XML rule file. The window with the result of import pops up. The following information is shown:
•Total count of imported rules
•Count of imported rules with correct syntax
•Count of imported rules with incorrect syntax
•Count of not imported rules