ESET Online Help

Search English
Select the topic

Detections

ESET Inspect includes a rule-based detection engine for Indicators of Attack.

Rules identify suspicious, malicious behavior trigger detections with defined severity. The Detection section displays each triggered detection, identifying its location (Computer) and the executable and specific process that triggered it. It is accompanied by severity information defined in the rule and assigns a priority to each detection (later available as a filter).  Detections are also 1:1 shown in the ESET PROTECT Detections section under the ESET Inspect On-Prem log type. When a detection is resolved in either ESET Inspect or ESET PROTECT, it is resolved in both systems.

The Detections view allows advanced grouping and filtering by any column. You can save filter sets by user preference. You can explore each detection's details and find further information, including the next steps. Select the executable's Details, Processes and Rules from the Detections view to continue your investigation. The detection detail layout is similar to ESET PROTECT On-Prem.


important

When a high number of detections occur, the Rule is temporarily muted on the triggered computer for 24 hours, this notification is shown in the Notifications tab.

Preview panel

Click a detection to display the preview panel on the right side. Here, you will find important information about the selected detection. Some items are interactive.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear gear_icon icon for table options to manage the main table.

Detection types

Click the detection type to display comprehensive details.

Firewall

Shows detections triggered by ESET Endpoint Security, for example, if a Firewall rule was triggered

HIPS

Shows detections triggered by ESET Endpoint Security when HIPS protection detects an intrusion.

Filtered Websites

Shows detections triggered by ESET Endpoint Security if the website is on a blacklist (PUA, Internal or anti-phishing).

Antivirus

Shows detections triggered by ESET Endpoint Security after a scan or real-time detection.

Rule

Filters triggered detections based on rules.

Blocked Executables

Shows detections triggered by matching the Blocked hashes listed in the More section.

Detection Groups

Ungrouped

Displays each detection separately when you first open the Detections tab. This is the default view.

Types

Groups detections by type, whether the trigger was a rule or a blocked file based on a hash.

Computers

Groups by computers where detections occurred.

Rules

Groups by rules that raised detections.

Processes

Groups by processes that raised detections.

Executables

Groups by executables that raised detections.

Priority (filter icons)

Shows items with a specific priority. There are four types: No priority and Priority I–III. All icons are deactivated by default, and items with all priorities are displayed. Click the priority icon to activate the filter and show items with the selected priority.

Severity

Shows the detection's severity: Threat alarm_severity_threat, Warning alarm_severity_warning or Infoalarm_severity_info

Click a detection to take further action:

Computer Details

Go to the Computer details tab.

Toggle Group

Expand or contract the group; not available if ungrouped is selected.

Mark as Resolved

Mark the detection as Resolved.

Mark as not Resolved

Mark the detection as Unresolved.

Create Exclusion

Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.

Edit Rule

Redirects you to the Edit Rule section if a rule raised the detection.

Edit User Actions

Opens the Edit User Actions window and shows edit user actions for the selected detection rule.

Priority

Mark the detection as No priority/Priority I/Priority II/Priority III.

Add Comment

Add a comment.

Open

Open Computer—Opens Computer details for the computer that triggered the detection.

Open Process—If a Rule triggers the detection, opens the Process details of the process that caused the detection.

Open Parent Process—If the detection has a parent process, opens the parent Process details.

Tags

Assign a detection tags from the existing list or create custom tags.

Audit log

Go to the Audit log tab.

Incident

oCreate an incident report

oAdd to a current incident

oAdd to recent incident, which shows the last three incidents

oSelect incident to add to

Filter

Show quick filters on the column where you activated the context menu (Show only this, Hide this).