Rules
Rules are the behavior- and reputation-based descriptions that ESET Inspect can identify from the received events and metadata.
Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that security engineers cannot modify.
A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising the detection.
The detection is displayed in the Detections view, but it is exported to ESET PROTECT and eventually to a connected SIEM tool. An email can be automatically sent when the detection is triggered using the ESET PROTECT notification mechanism.
Based on the result of the investigation, the security engineer can perform a manual remediation action.
With improvements of ESET PROTECT Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.
|
Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for investigating an incident and can often be triggered by legitimate behavior. If some of these rules generate too much traffic in your environment, you may consider turning them off. |
Filtering, Tags and Table options
Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear 
icon for table options to manage the main table.
The rule window consists of the following parts:
Summary of the rule. •Rule - The name of the rule. •Author - The name of the user that was logged at the time of the rule creation. •Last Edit - Date of the last edit of the rule. •Category - Category name that you can find among category tags in the Edit Rule section. •Severity - Shows the severity of the detection. Threat •Severity Score - More precise definition of severity. 1-39 > Info •Remediation actions - Click Select user action to open rule options and choose what action(s) to apply. •Explanation - Explanation of the behavior of the file. •Malicious Causes - What can be a result of a file execution. •Benign Causes - Detail about possibly unharmful activity. •MITRE ATT&CK™ TECHNIQUES - If the rule contains an ID of the MITRE ATT&CK™ TECHNIQUE it is shown here. •Rerun Tasks - The number of rerunning the tasks containing this rule. •Exclusions - The number of exclusions created for this rule. •Tags - Assign tag(s) to a rule from the list of existing, or create new custom tag(s). |
Warning 
Info 
You can add or edit the rules. On the right side, you can see the Syntax Reference,where on the bottom, you can find the link to the Rules Guide. |
Provides the same information as the sub-tab Tasks in the More tab, except it shows only tasks created for this specific rule. |
Provides the same options as the Exclusions sub-tab in the More tab. After clicking on an Detection, you are redirected to its Detection details. |
Right-click a rule name to take further actions:
Edit |
Redirect to Edit Rule section if the detection was raised by a rule |
|---|---|
Rerun Tasks |
Go to the Rerun Tasks view of the specific rule. |
Exclusions |
Go to the Exclusions view of the specific rule. |
Detections |
Redirect to the Detections view of the specific rule. |
Enable |
|
Disable |
|
Delete |
|
Save As |
Creates a new rule with the desired name and opens rule editor. |
Create Exclusion |
You can create an exclusion task for the selected rule(s). You are redirected to the Create Rule Exclusion section. |
Rerun rules |
Redirects you to Create rerun task window. |
Export |
Starts the export process of the rule, depending on the used web browser. The format of the file is XML. |
Import |
Opens the window for import the XML rule file. |
Tags |
Assign tag(s) to a rule from the list of existing, or create a new custom tag(s). |
Display Absolute/Relative Time |
Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months concerning present time, like 15 minutes ago or six days ago. |
Filter |
Quick filters, depending on the column where you activated the context menu (Show only this, Hide this). |