Rules
Rules are the behavior- and reputation-based descriptions that ESET Inspect can identify from received events and metadata.
Security engineers can add and edit their rules, and there are rules provided by ESET that cannot be modified.
A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising a detection.
The detection displays in the Detections view, and an email can be automatically sent when the detection is triggered using the ESET PROTECT On-Prem notification mechanism.
A security engineer can perform a manual remediation action based on the investigation's results.
Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for investigating an incident and can often be triggered by legitimate behavior. If some of these rules generate too much traffic in your environment, you may consider turning them off. |
You can evaluate detection rules in ESET Inspect Connector. To use this feature, enable LiveGrid® in ESET Endpoint. Enabled LiveGrid® in ESET Endpoint is required for ESET Inspect version 1.8 or later.
If performance issues occur on the ESET Endpoint using ESET Inspect Connector version 1.8 or later, you can switch detection rules evaluation to be done by ESET Inspect Server. This is only available on-premises.
Activate detection rules evaluation on ESET Inspect Server.
If the connection between ESET Inspect Server and ESET Inspect Connector is interrupted:
•ESET Inspect Connector performs the evaluation, sends the triggered detections and collected raw events to the ESET Inspect Server after the restored connection
•ESET Inspect Connector finds a match between the raw event and detection rule, which has a response action assigned, and only the Kill process executes immediately
Filtering, Tags and Table options
Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear icon for table options to manage the main table.
The rule window consists of the following parts:
Summary of the rule. •Rule—The rule’s name. •Author—The user's name who was logged in at the time of the rule creation. •Last Edit—The date the rule was last edited. •Category—The category name found among category tags in the Edit Rule section. •Severity—Shows the detection's severity: Threat , Warning or Info •Severity Score—A precise severity definition: 1–39 > Info ; 40–69 > Warning ; 70–100 > Threat •Remediation actions—Click Select user actions to open rule options and choose actions. •Explanation—An explanation of the file's behavior. •Malicious Causes—The possible result of a file execution. •Benign Causes—Details about possibly unharmful activity. •MITRE ATT&CK™ TECHNIQUES—The MITRE ATT&CK™ TECHNIQUE ID, if contained. •Rerun Tasks—The number of tasks that are rerun using this rule. •Exclusions—The number of exclusions created for this rule. •Tags—Assigns detection tags from the existing list or create custom tags. |
You can add or edit the rules. On the right side, you can see the Syntax Reference; at the bottom, you can find the link to the Rules Guide. |
Targets
You can see and assign or unassign computers or groups in this window. |
Provides similar information as the sub-tab Tasks in the More tab, except it shows only the rule's tasks. |
Provides the same options as the Exclusions sub-tab in the More tab. Click a Detection to be redirected to the Detection details. |
Click a rule name to take further action:
Details |
Opens a summary. |
---|---|
Detections |
Redirect to a rule's Detections view. |
Exclusions |
Go to a rule's Exclusions view. |
Edit Rule |
Redirect to Edit Rule section if the detection was raised by a rule. |
Edit User Actions |
Redirect to a rule's Edit User Actions section. |
Change assignment |
Go to a rule's Targets view. |
Rerun Tasks |
Go to a rule's Rerun Tasks view. |
Create Exclusion |
Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion. |
Enable |
|
Disable |
|
Delete |
|
Save As |
Creates a new rule with the desired name and opens rule editor. |
Access group |
Displays the currently assigned access group. Click Move to reassign access group. |
Tags |
Assigns detection tags from the existing list or create custom tags. |
Filter |
Show quick filters on the column where you activated the context menu (Show only this, Hide this). |
Rerun Rules |
Redirects you to Create rerun task window. |
Export |
Starts the rule’s export process to an XML file, depending on the web browser. |
Import |
Opens the import window for the XML rule file. |