˄˅

Detections Rules

Rules are the behavior- and reputation-based descriptions that EEI can identify from the received events and metadata.

Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that cannot be modified by security engineers.

A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising the detection.

The detection is displayed in Detections view but it is also exported to ESET PROTECT and from there eventually to a connected SIEM tool or an email can be automatically sent when the detection is triggered using ESET PROTECT notification mechanism.

Based on the result of the investigation the security engineer can perform a manual remediation action.

In the future, with improvements of ESET PROTECT Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.

Right-click detection name or left click anywhere else on the row to bring up a context menu with the following options:

•Details—Redirect to Rule Details

•Details (New Tab)—Redirect to rule details in a new tab

•Edit—Redirect to Edit Rule section if the detection was raised by a rule

•Edit (New Tab)—Redirect to Edit Rule section if the detection was raised by a rule, but in new tab

•Rerun Tasks—Redirect to the Rerun Tasks view of the particular rule

•Exclusions—Redirect to the Exlusions view of the particular rule

•Detections—Redirect to the Detections view of the particular rule

•Enable—Enables the rule

•Disable—Disables the rule

•Delete—Deletes the rule

•Save As—Creates a new rule with the desired name and opens rule editor

•Create Exclusion—You can create an exclusion task for the selected rule(s). You are redirected to the Create Rule Exclusion section

•Display Absolute/Relative Time—Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months in relation to present time, like "15 minutes ago" or "6 days ago"

•Filter—you can find these quick filters, depending on the column:

oShow only this—Shows only records, based on this particular value

oHide this—Hides all records based on this particular value

oShow before—shows only records that are before this value (for example, time)

oShow after—shows only records that are after this value (for example, time)

oShow lower—Shows only records, which value is lower than this particular one

oShow higher—Shows only records, which value is higher than this particular one

Note

Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for the investigation of an incident and can often be triggered by legitimate behavior. In case that some of these rules generate too much traffic in your environment, you may consider turning them off.

Additional filters

The additional filters are accessible by clicking the ADD FILTER button or clicking on a space next to the add filter button, where the list of available filters shows. The user can search filter by typing its name or selecting from the list. For the definitions of the additional filters, follow here.

Some of the filters have a funnel icon next to them with two or four possible predefined options:

•Unknown—the value in the filtered column is not available (probably not a known value at the time of occurrence)

•Known—the value is available

•None—value is an empty string

•Any—the value is not empty. The negation of None filter

If present on the screen you, can refresh the table by clicking the refresh icon. If available, the export icon can be used to export the table grid to CSV format and use it in other applications to work with the list.

If present, click the PRESETS button to manage filter sets. These options are available:

•Save filters—allows you to save the actual filter set. Select the check box Include the visible columns and sorting to save also this setting of your selection, otherwise when loading saved filter without this option selected will end up by showing you the default column setting

•Reset filters—resets active filter and return to default filter setting with default column setting

•Reset view—resets the active view without resetting the filter set

•Manage—allows you to manage your filter sets

•Save Filters as Rule—if available, allows you to save the filter as a rule. You can find it then in the list of rules under the Detection rules sub-tab of the admin tab

Columns

Columns can be reorganized by using the icon that appears on the right side of the column name when you hover the mouse over the column name.

The width of the column can be re-sized by the icon that appears on the left side of the column name when you hover the mouse over the column name.

The order of the columns can be organized by clicking the name of the column:

•Default (No icon)

•Ascending

•Descending

You can change which columns are displayed after clicking the gear icon and selecting the Select column option, or you can reset the view to default by clicking the Reset columns option. You can use Enter quick search pattern—here, you can search for the column by typing its name or a couple of letters from it. Useful if the list of columns is long. For the definitions of the columns follow here.

You can select all the rules by selecting the check box on the left side of the Rule Name column header, or you can select each rule individually by clicking its corresponding check box.

When a rule or multiple rules are checked (selected), there are these possible actions to make, accessible through buttons at the bottom of the window:

—You are redirected to the Edit rule window