Detections Rules

Rules are the behavior- and reputation-based descriptions that EEI can identify from the received events and metadata.

Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that cannot be modified by security engineers.

A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising the detection.

The detection is displayed in Detections view but it is also exported to ESET PROTECT and from there eventually to a connected SIEM tool or an email can be automatically sent when the detection is triggered using ESET PROTECT notification mechanism.

Based on the result of the investigation the security engineer can perform a manual remediation action.

In the future, with improvements of ESET PROTECT Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.

 

Right-click detection name or left click anywhere else on the row to bring up a context menu with the following options:

Details—Redirect to Rule Details

Details (New Tab)—Redirect to rule details in a new tab

Edit—Redirect to Edit Rule section if the detection was raised by a rule

Edit (New Tab)—Redirect to Edit Rule section if the detection was raised by a rule, but in new tab

Rerun Tasks—Redirect to the Rerun Tasks view of the particular rule

Exclusions—Redirect to the Exlusions view of the particular rule

Detections—Redirect to the Detections view of the particular rule

Enable—Enables the rule

Disable—Disables the rule

Delete—Deletes the rule

Save As—Creates a new rule with the desired name and opens rule editor

Create Exclusion—You can create an exclusion task for the selected rule(s). You are redirected to the Create Rule Exclusion section

Display Absolute/Relative Time—Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months in relation to present time, like "15 minutes ago" or "6 days ago"

Filter—you can find these quick filters, depending on the column:

oShow only this—Shows only records, based on this particular value

oHide this—Hides all records based on this particular value

oShow before—shows only records that are before this value (for example, time)

oShow after—shows only records that are after this value (for example, time)

oShow lower—Shows only records, which value is lower than this particular one

oShow higher—Shows only records, which value is higher than this particular one

note

Note

Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for the investigation of an incident and can often be triggered by legitimate behavior. In case that some of these rules generate too much traffic in your environment, you may consider turning them off.

Tags

Tagging is an additional form of filtering that can connect multiple objects through multiple views (computer, executable, event filter, etc.). If available, the tag icon Tag_Panel is on the left side, next to the name of the view. In the Computers view, the tag panel can be accessed by clicking the Three_dots icon. In the opened tag panel, all created tags are listed and ready to use. If the list of tags is already too long, you can use the magnifying glass to search for a specific tag. At the top of the screen, the TAGS selector can be used to select the desired tags. If available, the user can use also TAGS button located at the bottom of the screen among action buttons.

Additional filters

The additional filters are accessible by clicking the ADD FILTER button or clicking on a space next to the add filter button, where the list of available filters shows. The user can search filter by typing its name or selecting from the list. For the definitions of the additional filters, follow here.

Some of the filters have a funnel icon next to them with two or four possible predefined options:

Unknown—the value in the filtered column is not available (probably not a known value at the time of occurrence)

Known—the value is available

None—value is an empty string

Any—the value is not empty. The negation of None filter

If present on the screen you, can refresh the table by clicking the refresh iconAlarms_Refresh. If available, the export icon Export_CSV can be used to export the table grid to CSV format and use it in other applications to work with the list.

If present, click the PRESETS button to manage filter sets. These options are available:

Save filters—allows you to save the actual filter set. Select the check box Include the visible columns and sorting to save also this setting of your selection, otherwise when loading saved filter without this option selected will end up by showing you the default column setting

Reset filters—resets active filter and return to default filter setting with default column setting

Reset view—resets the active view without resetting the filter set

Manage—allows you to manage your filter sets

Save Filters as Rule—if available, allows you to save the filter as a rule. You can find it then in the list of rules under the Detection rules sub-tab of the admin tab

Columns

Columns can be reorganized by using the Columns_Move icon that appears on the right side of the column name when you hover the mouse over the column name.

The width of the column can be re-sized by the Column_Resize icon that appears on the left side of the column name when you hover the mouse over the column name.

The order of the columns can be organized by clicking the name of the column:

Default (No icon)

Ascending Column_Ascending

Descending Column_Descending

You can change which columns are displayed after clicking the gear icon and selecting the Select column option, or you can reset the view to default by clicking the Reset columns option. You can use Enter quick search pattern—here, you can search for the column by typing its name or a couple of letters from it. Useful if the list of columns is long. For the definitions of the columns follow here.

You can select all the rules by selecting the check box on the left side of the Rule Name column header, or you can select each rule individually by clicking its corresponding check box.

When a rule or multiple rules are checked (selected), there are these possible actions to make, accessible through buttons at the bottom of the window:

Admin_NewYou are redirected to the Edit rule window

Admin_EnableEnable selected rule/rules

Admin_DisableDisable selected rule/rules

Admin_DeleteDelete selected rule/rules

Admin_Save_AsSaves the rule under the new name and goes to Edit Rule

Create_ExclusionRedirects you to Create Exclusion window

Admin_Re-RunRedirects you to Create rerun task window

Admin_ExportStarts the export process of the rule, depending on the used web browser. The format of the file is XML

Admin_ImportOpens the window for import the XML rule file. The window with the result of import pops up. The following information is shown:

Total count of imported rules

Count of imported rules with correct syntax

Count of imported rules with incorrect syntax

Count of not imported rules