Rules

Rules are the behavior- and reputation-based descriptions that ESET Inspect can identify from the received events and metadata.

Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that security engineers cannot modify.

A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising the detection.

The detection is displayed in the Detections view, but it is exported to ESET PROTECT and eventually to a connected SIEM tool. An email can be automatically sent when the detection is triggered using the ESET PROTECT notification mechanism.

Based on the result of the investigation, the security engineer can perform a manual remediation action.

With improvements of ESET PROTECT Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.


note

Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for investigating an incident and can often be triggered by legitimate behavior. If some of these rules generate too much traffic in your environment, you may consider turning them off.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear gear_icon icon for table options to manage the main table.

The rule window consists of the following parts:

Rule details

Summary of the rule.

Rule - The name of the rule.

Author - The name of the user that was logged at the time of the rule creation.

Last Edit - Date of the last edit of the rule.

Category - Category name that you can find among category tags in the Edit Rule section.

Severity - Shows the severity of the detection. Threat Alarm_Severity_Threat Warning Alarm_Severity_Warning Info Alarm_Severity_Info

Severity Score - More precise definition of severity. 1-39 > Info Alarm_Severity_Info 40-69 > Warning Alarm_Severity_Warning 70 - 100 > Threat Alarm_Severity_Threat

Remediation actions - Click Select user action to open rule options and choose what action(s) to apply.

Explanation - Explanation of the behavior of the file.

Malicious Causes - What can be a result of a file execution.

Benign Causes - Detail about possibly unharmful activity.

MITRE ATT&CK™ TECHNIQUES - If the rule contains an ID of the MITRE ATT&CK™ TECHNIQUE it is shown here.

Rerun Tasks - The number of rerunning the tasks containing this rule.

Exclusions - The number of exclusions created for this rule.

Tags - Assign tag(s) to a computer from the list of existing, or create new custom tag(s).

Edit Rule

You can add or edit the rules. On the right side, you can see the Syntax Reference,where on the bottom, you can find the link to the Rules Guide.

Rerun Tasks

Provides the same information as the sub-tab Tasks in the More tab, except it shows only tasks created for this specific rule.

Exclusions

Provides the same options as the Exclusions sub-tab in the More tab. After clicking on an Detection, you are redirected to its Detection details.

Right-click a rule name to take further actions:

Edit

Redirect to Edit Rule section if the detection was raised by a rule

Rerun Tasks

Go to the Rerun Tasks view of the specific rule.

Exclusions

Go to the Exclusions view of the specific rule.

Detections

Redirect to the Detections view of the specific rule.

Enable

 

Disable

 

Delete

 

Save As

Creates a new rule with the desired name and opens rule editor.

Create Exclusion

You can create an exclusion task for the selected rule(s). You are redirected to the Create Rule Exclusion section.

Rerun rules

Redirects you to Create rerun task window.

Export

Starts the export process of the rule, depending on the used web browser. The format of the file is XML.

Import

Opens the window for import the XML rule file.

Tags

Assign tag(s) to a computer from the list of existing, or create a new custom tag(s).

Display Absolute/Relative Time

Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months concerning present time, like 15 minutes ago or six days ago.

Filter

Quick filters, depending on the column where you activated the context menu (Show only this, Hide this).