ESET Online Help

Select the category
Select the topic


Rules are the behavior- and reputation-based descriptions that ESET Inspect can identify from the received events and metadata.

Security engineers can add and edit their rules, but there is also a set of rules provided by ESET that security engineers cannot modify.

A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising the detection.

The detection is displayed in the Detections view, but it is exported to ESET PROTECT On-Prem and eventually to a connected SIEM tool. An email can be automatically sent when the detection is triggered using the ESET PROTECT On-Prem notification mechanism.

Based on the result of the investigation, the security engineer can perform a manual remediation action.

With improvements of ESET PROTECT On-Prem Orchestration framework, it will be possible to define automated incident response criteria that will be executed dynamically after rule-based detection.


Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for investigating an incident and can often be triggered by legitimate behavior. If some of these rules generate too much traffic in your environment, you may consider turning them off.

Since version 1.8 you can evaluate detection rules in ESET Inspect Connector, you need to enable LiveGrid® in ESET Endpoint to use this feature. Enabled LiveGrid® in ESET Endpoint is required for ESET Inspect version 1.8 or later.

Suppose there are performance issues on the ESET Endpoint using ESET Inspect Connector version 1.8 or later. In that case, you can switch detection rules evaluation to be done by ESET Inspect Server. This option is only available for on-premises.

Activate detection rules evaluation on ESET Inspect Server.

If the connection between ESET Inspect Server and ESET Inspect Connector is interrupted:

ESET Inspect Connector will perform the evaluation and send the triggered detections, and collected raw events to the ESET Inspect Server after the restored connection

ESET Inspect Connector finds a match between the raw event and detection rule, which has response action assigned, and only the Kill process is executed immediately

Filtering, Tags and Table options

Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear gear_icon icon for table options to manage the main table.

The rule window consists of the following parts:

Rule details

Summary of the rule.

Rule—The name of the rule.

Author—The name of the user that was logged at the time of the rule creation.

Last Edit—Date of the last edit of the rule.

Category—Category name that you can find among category tags in the Edit Rule section.

SeverityShows the severity of the detection: Threat alarm_severity_threat, Warning alarm_severity_warning, Infoalarm_severity_info

Severity Score—A more precise definition of severity. 1–39 > Info alarm_severity_info 40–69 > Warning alarm_severity_warning 70–100 > Threat alarm_severity_threat

Remediation actions—Click Select user actions to open rule options and choose what action(s) to apply.

Explanation—Explanation of the behavior of the file.

Malicious Causes—What can be a result of a file execution.

Benign Causes—Detail about possibly unharmful activity.

MITRE ATT&CK™ TECHNIQUES—If the rule contains an ID of the MITRE ATT&CK™ TECHNIQUE it is shown here.

Rerun Tasks—The number of rerunning the tasks containing this rule.

Exclusions—The number of exclusions created for this rule.

Tags—Assign tag(s) to a rule from the list of existing, or create new custom tag(s).

Edit Rule

You can add or edit the rules. On the right side, you can see the Syntax Reference,where on the bottom, you can find the link to the Rules Guide.


You can see and assign or unassign computers or groups in this window.

Rerun Tasks

Provides the same information as the sub-tab Tasks in the More tab, except it shows only tasks created for this specific rule.


Provides the same options as the Exclusions sub-tab in the More tab. After clicking on an Detection, you are redirected to its Detection details.

Click a rule name to take further actions:


Opens summary of the rule.


Redirect to the Detections view of the specific rule.


Go to the Exclusions view of the specific rule.

Edit Rule

Redirect to Edit Rule section if the detection was raised by a rule.

Edit User Actions

Redirect to Edit User Actions section of the specific rule.

Change assignment

Go to the Targets view of the specific rule.

Rerun Tasks

Go to the Rerun Tasks view of the specific rule.

Create Exclusion

Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.







Save As

Creates a new rule with the desired name and opens rule editor.

Access group

Displays currently assigned access group. Click Move to assign different access group.


Assign tag(s) to a rule from the list of existing, or create a new custom tag(s).


Quick filters, depending on the column where you activated the context menu (Show only this, Hide this).

Rerun Rules

Redirects you to Create rerun task window.


Starts the export process of the rule, depending on the used web browser. The format of the file is XML.


Opens the window for import the XML rule file.