Detections
ESET Inspect On-Prem includes a rule-based detection engine for Indicators of Attack.
Rules identify suspicious, malicious behavior trigger detections with defined severity. The Detection section displays each triggered detection, identifying its location (Computer) and the executable and specific process that triggered it. It is accompanied by severity information defined in the rule and assigns a priority to each detection (later available as a filter). Detections are also 1:1 shown in the ESET PROTECT On-Prem Detections section under the ESET Inspect log type. When a detection is resolved in either ESET Inspect On-Prem or ESET PROTECT On-Prem, it is resolved in both systems.
The Detections view allows advanced grouping and filtering by any column. You can save filter sets by user preference. You can explore each detection's details and find further information, including the next steps. Select the executable's Details, Processes and Rules from the Detections view to continue your investigation. The detection detail layout is similar to ESET PROTECT On-Prem.
When a high number of detections occur, the Rule is temporarily muted on the triggered computer for 24 hours, this notification is shown in the Notifications tab. |
Preview panel
Click a detection to display the preview panel on the right side. Here, you will find important information about the selected detection. Some items are interactive.
Filtering, Tags and Table options
Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear icon for table options to manage the main table.
Detection types
Click the detection type to display comprehensive details.
Shows detections triggered by ESET Endpoint Security, for example, if a Firewall rule was triggered |
Shows detections triggered by ESET Endpoint Security when HIPS protection detects an intrusion. |
Shows detections triggered by ESET Endpoint Security if the website is on a blacklist (PUA, Internal or anti-phishing). |
Shows detections triggered by ESET Endpoint Security after a scan or real-time detection. |
Filters triggered detections based on rules. |
Shows detections triggered by matching the Blocked hashes listed in the More section. |
Detection Groups
Ungrouped |
Displays each detection separately when you first open the Detections tab. This is the default view. |
---|---|
Types |
Groups detections by type, whether the trigger was a rule or a blocked file based on a hash. |
Computers |
Groups by computers where detections occurred. |
Rules |
Groups by rules that raised detections. |
Processes |
Groups by processes that raised detections. |
Executables |
Groups by executables that raised detections. |
Priority (filter icons)
Shows items with a specific priority. There are four types: No priority and Priority I–III. All icons are deactivated by default, and items with all priorities are displayed. Click the priority icon to activate the filter and show items with the selected priority.
Severity
Shows the detection's severity: Threat , Warning or Info
Click a detection to take further action:
Computer Details |
Go to the Computer details tab. |
---|---|
Toggle Group |
Expand or contract the group; not available if ungrouped is selected. |
Mark as Resolved |
Mark the detection as Resolved. |
Mark as not Resolved |
Mark the detection as Unresolved. |
Create Exclusion |
Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion. |
Edit Rule |
Redirects you to the Edit Rule section if a rule raised the detection. |
Edit User Actions |
Opens the Edit User Actions window and shows edit user actions for the selected detection rule. |
Priority |
Mark the detection as No priority/Priority I/Priority II/Priority III. |
Add Comment |
Add a comment. |
Open |
Open Computer—Opens Computer details for the computer that triggered the detection. Open Process—If a Rule triggers the detection, opens the Process details of the process that caused the detection. Open Parent Process—If the detection has a parent process, opens the parent Process details. |
Tags |
Assign a detection tags from the existing list or create custom tags. |
Audit log |
Go to the Audit log tab. |
Incident |
oCreate an incident report oAdd to a current incident oAdd to recent incident, which shows the last three incidents oSelect incident to add to |
Filter |
Show quick filters on the column where you activated the context menu (Show only this, Hide this). |