Rules
Rules are the behavior- and reputation-based descriptions that ESET Inspect can identify from the received events and metadata.
Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that security engineers cannot modify.
A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising the detection.
The detection is displayed in the Detections view, but it is exported to ESET PROTECT and eventually to a connected SIEM tool. An email can be automatically sent when the detection is triggered using the ESET PROTECT notification mechanism.
Based on the result of the investigation, the security engineer can perform a manual remediation action.
With improvements of ESET PROTECT Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.
|
Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for investigating an incident and can often be triggered by legitimate behavior. If some of these rules generate too much traffic in your environment, you may consider turning them off. |
Since version 1.8 you can evaluate detection rules in ESET Inspect Connector, you need to enable LiveGrid® in ESET Endpoint to use this feature. Enabled LiveGrid® in ESET Endpoint is required for ESET Inspect Cloud version 1.8 or later.
Suppose there are performance issues on the ESET Endpoint using ESET Inspect Connector version 1.8 or later. In that case, you can switch detection rules evaluation to be done by ESET Inspect Server. This option is only available for on-premises.
Activate detection rules evaluation on ESET Inspect Server.
If the connection between ESET Inspect Server and ESET Inspect Connector is interrupted:
•ESET Inspect Connector will perform the evaluation and send the triggered detections, and collected raw events to the ESET Inspect Server after the restored connection
•ESET Inspect Connector finds a match between the raw event and detection rule, which has response action assigned, and only the Kill process is executed immediately
Filtering, Tags and Table options
Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear 
icon for table options to manage the main table.
The rule window consists of the following parts:
Summary of the rule. •Rule—The name of the rule. •Author—The name of the user that was logged at the time of the rule creation. •Last Edit—Date of the last edit of the rule. •Category—Category name that you can find among category tags in the Edit Rule section. •Severity—Shows the severity of the detection: Threat •Severity Score—A more precise definition of severity. 1–39 > Info •Remediation actions—Click Select user actions to open rule options and choose what action(s) to apply. •Explanation—Explanation of the behavior of the file. •Malicious Causes—What can be a result of a file execution. •Benign Causes—Detail about possibly unharmful activity. •MITRE ATT&CK™ TECHNIQUES—If the rule contains an ID of the MITRE ATT&CK™ TECHNIQUE it is shown here. •Rerun Tasks—The number of rerunning the tasks containing this rule. •Exclusions—The number of exclusions created for this rule. •Tags—Assign tag(s) to a rule from the list of existing, or create new custom tag(s). |
, Warning 
, Info
You can add or edit the rules. On the right side, you can see the Syntax Reference,where on the bottom, you can find the link to the Rules Guide. |
Targets
You can see and assign or unassign computers or groups in this window. |
Provides the same information as the sub-tab Tasks in the More tab, except it shows only tasks created for this specific rule. |
Provides the same options as the Exclusions sub-tab in the More tab. After clicking on an Detection, you are redirected to its Detection details. |
Click a rule name to take further actions:
Details |
Opens summary of the rule. |
|---|---|
Detections |
Redirect to the Detections view of the specific rule. |
Exclusions |
Go to the Exclusions view of the specific rule. |
Edit Rule |
Redirect to Edit Rule section if the detection was raised by a rule. |
Edit User Actions |
Redirect to Edit User Actions section of the specific rule. |
Change assignment |
Go to the Targets view of the specific rule. |
Rerun Tasks |
Go to the Rerun Tasks view of the specific rule. |
Create Exclusion |
Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion. |
Enable |
|
Disable |
|
Delete |
|
Save As |
Creates a new rule with the desired name and opens rule editor. |
Access group |
Displays currently assigned access group. Click Move to assign different access group. |
Tags |
Assign tag(s) to a rule from the list of existing, or create a new custom tag(s). |
Filter |
Quick filters, depending on the column where you activated the context menu (Show only this, Hide this). |
Rerun Rules |
Redirects you to Create rerun task window. |
Export |
Starts the export process of the rule, depending on the used web browser. The format of the file is XML. |
Import |
Opens the window for import the XML rule file. |