Alarm Rules

Rules are the behavior- and reputation-based descriptions that EEI can identify from the received events and metadata.

Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that cannot be modified by security engineers.

A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. Therefore, a rule cannot block execution of a process or operation (rules are intended for ex-post detection of any suspicious/malicious activity, not for their prevention). A matched rule can only notify security engineers by raising the alarm.

The alarm is displayed in Alarms view but it is also exported to ESET Security Management Center and from there eventually to a connected SIEM tool or an email can be automatically sent when the alarm is triggered using ESET Security Management Center notification mechanism.

Based on the result of the investigation the security engineer can perform a manual remediation action.

In the future, with improvements of ESET Security Management Center Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.

Rules guide is available for download in the ESET Enterprise Inspector Edit Rule section.

Admin_Overview

It is not possible to edit or delete the default rules listed here (these rules are created by ESET).

Refresh the information by clicking the refresh iconAlarms_Refreshin top right corner of the screen.

Click the Alarms_Filter_Iconbutton to manage filter sets.

Click the gear icon Dashboard_Gearwheel on the right of column headers to select the columns to display/hide.

 

Right-click alarm name or left click anywhere else on the row, brings up a context menu with the following options:

Details—redirect to Rule Details

Details (New Tab)—redirect to rule details in a new tab

Edit—redirected to Edit Rule section if the alarm was raised by a rule

Enable—enables the rule

Disable—disables the rule

Delete—deletes the rule

Create Exclusion—you can create an exclusion task for the selected rule(s). You are redirected to the Create Rule Exclusion section

Go to alarms—shows the list of alarms that were triggered by this rule

Display Absolute/Relative Time—absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in format minutes/hours/months

 

These columns are available:

Rule name—the name of the rule (Default or Customized)

Author—who's the author (ESET if Default or Name of the currently logged User at the time of creation or edition)

Enabled—true if enabled, false if disabled

Valid—when you save a rule with the wrong syntax, it gets an invalid tag

SeverityThreat Alarm_Severity_Threat, Warning Alarm_Severity_Warning, Info Alarm_Severity_Info

Category:

oPersistence—rules that monitor different kinds of persistence in the system (for example autorun registry, new files in %startup% folder, etc.)

oRegistry - altering security features—rules that monitor security-settings in the registry (for example exclusions in the firewall, etc.)

oFile system—rules that monitor suspicious file operations (for example writing in ADS, creating autorun.inf, etc.)

oSuspicious process creation & process manipulation—rules that monitor manipulation with processes (for example termination of processes through the command line, the process started from recycle bin, etc.)

oCommunication—rules that monitor suspicious network communication (for example new connections, connections to the known bad servers, etc.)

oFilecoders—rules that monitor behavior typical for different file coders (ransomware)

o Web browser related—rules that monitor web browser related things (for example Nova extensions)

oOffice—rules that monitor Microsoft office related things (for example Word started the new process)

oRemote desktop/Remote access—rules that monitor Remote Desktop settings ( for example change of default port)

oSuspicious system configuration/Removing evidence—rules that monitor system configuration/settings ( for example deleting logs, turn off logging, setting a lower level of security in the system, and other suspicious settings)

oCreated from filter—this rule was created in Executable tab by using preset called Save filters as rule

oUser can define custom category when creating custom rules. This can be done in tag <category>Default</category>

Last edit—time when the rule was last edited, only Custom rules can be edited.

 

You can select all the rules by selecting the check box on the left side of the Rule Name column header, or you can select each rule individually by clicking its corresponding check box.

When a rule or multiple rules are checked (selected), there are these possible actions to make, accessible through buttons at the bottom of the window:

Admin_Newyou are redirected to the Edit rule window

Admin_Enableenable selected rule/rules

Admin_Disabledisable selected rule/rules

Admin_Deletedelete selected rule/rules

Admin_Save_Assaves the rule under the new name and goes to Edit Rule

Create_Exclusionredirects you to Create Exclusion window

Admin_Re-Run—redirects you to Create re-run task window

Admin_Exportstarts the export process of the rule, depending on the used web browser. The format of the file is XML

Admin_Importopens the window for import the XML rule file. The window with the result of import pops up. The following information is shown:

Total count of imported rules

Count of imported rules with correct syntax

Count of imported rules with incorrect syntax

 

Working with filters

Same values as column names are used as filters:

SeverityThreat Alarm_Severity_Threat, Warning Alarm_Severity_Warning, Info Alarm_Severity_Info

Additional filters (Add Filter):

oRule name—filter by rule name

oAuthor—filter by the author of the rule

oEnabled—filter by value, whether the rule is enabled or not

oValid—filter by the validity

oCategory—filter by category name

oLast edit—filter by time, when the rule was last edited. Never or equal, older or equal then, 1 hour, 1 day, 2 days, 1 week, 1 month, 3 months, 1 year, Unknown, Known

Some of the filters have a funnel Executables_Funnelnext to it with two or four possible predefined options:

Unknown—the value in the filtered column is not available

Known—the value is available

None—value is an empty string (probably not known value at the time of occurrence)

Any—the value is not empty. Negation of None filter

note

Note

All filters can be combined with one another.

See Working With Filters topic to learn available options.