Exclusions
ESET Inspect allows you to match incoming events against rules. Rules are defined using an XML-based language to predicate conditions over events property (Module name, Hash, Signer, Popularity).
Rules can be edited, enabled or disabled when an events reception is provided to the RuleEngine component. It will be compiled and matched against the events, eventually raising a detection.
For this reason, you need to filter and exclude some detections.
As most filtering is based on the same property used in the rules, exclusions are defined using the same rules language. The advantage of this is that it allows for the fair reuse of existing machinery.
There is an editing tool wizard, as exclusions are usually strictly related to an existing rule. Starting from an existing detection, the wizard provides initial values for the exclusion rule conditions.
Filtering, Tags and Table options
Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear icon for table options to manage the main table.
Click an exclusion name to take further action:
Edit |
Go to the update exclusion window. |
---|---|
Enable |
|
Disable |
|
Delete |
|
Access group |
Displays the currently assigned access group. Click Move to reassign access group. |
Tags |
Assign detection tags from the existing list or create custom tags. |
Filter |
Show quick filters on the column where you activated the context menu (Show only this, Hide this). |
New exclusion |
Go to the Create exclusion window. |
Export |
Start the rule’s export process to an XML file, depending on the web browser. |
Import |
Open the window for import the XML rule file. |