Detections

ESET Inspect includes rule-based detection engine for Indicators of Attack.

Rules that are written to identify suspicious, malicious behavior trigger detections with defined severity. Each triggered detection is displayed in the detection section with clear identification of where it happened (Computer), which executable has triggered it, even which specific process triggered it. It is accompanied by severity information as defined in the rule and assigns a priority to each detections (later available as a filtering option). Detections are also 1:1 shown in the Threats section of ESET PROTECT under a specific log type labeled ESET Inspect. When detection is resolved from ESET Inspect/ESET PROTECT, it is also resolved in the other system (the systems are synchronized).

Detections view allows advanced grouping and filtering by any column in the view. It is also possible to save filter sets per user preference. The user can drill down into details of every detection, where further details about the executable/process/user, computer, and explanation of possible cause, with suggested next steps, are displayed. The user can navigate to Details of the executable, Process, Rule from detections and continue the further investigation. Detection detail layout is similar to the design language used in the ESET PROTECT, focusing on easy readability.

Preview panel

Click a detection to display the preview panel on the right side. The detection preview contains the most important information about the select detection. Some items are interactive.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear gear_icon icon for table options to manage the main table.

Detection types:

Click the detection type to display comprehensive details.

Firewall

Shows detections triggered by ESET Endpoint Security itself, for example, if some Firewall rule was triggered.

 

HIPS

Shows detections triggered by ESET Endpoint Security itself when HIPS protection detects intrusion.

 

Filtered Websites

Shows detections triggered by ESET Endpoint Security itself if the website is from (PUA, Internal or Anti-Phishing) blacklist.

 

Antivirus

Shows detections triggered by ESET Endpoint Security itself, after Scan or after Real-time detection.

 

Rule

Filters detections triggered based on rules.

 

Blocked Executables

Shows detections triggered by matching the Blocked hashes listed in the More section.

 

Detection Groups:

Ungrouped

This is the default view. When you open the Detections tab for the first time, you see each detection separately.

Types

In this filter, detections are grouped based on detection type (trigger was a rule or a file blocked based on a hash).

Computers

Detections grouped by a computer on which they occurred.

Rules

Grouped by rules that raised detections.

Processes

Grouped by processes that raised detections.

Executables

Grouped by executables that raised detections.

Uniqueness

Grouped by the uniqueness of the detection type.

Priority (filter icons)

Click to show only items with specific priority. There are four types, no priority and priority I to III. All icons are deactivated by default, meaning the items with all priorities are displayed. Click the priority icon to activate the filter and show only items with selected priority.

Severity

Shows the severity of the detection: Threat Alarm_Severity_Threat Warning Alarm_Severity_Warning Info Alarm_Severity_Info

Click a detection to take further actions:

Computer Details

Go to the Computer details tab.

Toggle Group

Not available if ungrouped is selected. Expand or contract the group.

Mark as Resolved

Marks the detection as Resolved.

Mark as Unresolved

Marks the detection as Unresolved.

Create Exclusion

Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.

Edit Rule

Redirected to the Edit Rule section if the detection was raised by a rule.

Add Comment

Optionally, you can add a comment.

Open

Open Computer - Opens Computer details of the Computer on which the detection was triggered.

Open Process - If the detection was triggered by Rule, redirect to Process details of the process that caused the detection.

Open Parent Process - If the detection has a parent process, it redirects you to the Process details of that parent process.

Tags

Assign tag(s) to a detection from the list of existing, or create new custom tag(s).

Audit log

Go to the Audit log tab.

Incident

Create an incident report, or add to an existing incident (currently active).

Filter

Quick filters, depending on the column where you activated the context menu (Show only this, Hide this).