ESET Online Help

Search
Select the category
Select the topic

Rules

Rules are the behavior- and reputation-based descriptions that ESET Inspect On-Prem can identify from received events and metadata.

Security engineers can add and edit their rules, and there are rules provided by ESET that cannot be modified.

A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. A matched rule can only notify security engineers by raising a detection.

The detection displays in the Detections view, and an email can be automatically sent when the detection is triggered using the ESET PROTECT On-Prem notification mechanism.

A security engineer can perform a manual remediation action based on the investigation's results.


note

Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for investigating an incident and can often be triggered by legitimate behavior. If some of these rules generate too much traffic in your environment, you may consider turning them off.

You can evaluate detection rules in ESET Inspect Connector. To use this feature, enable LiveGrid® in ESET Endpoint. Enabled LiveGrid® in ESET Endpoint is required for ESET Inspect On-Prem version 1.8 or later.

If performance issues occur on the ESET Endpoint using ESET Inspect Connector version 1.8 or later, you can switch detection rules evaluation to be done by ESET Inspect Server. This is only available on-premises.

arrow_down_businessActivate detection rules evaluation on ESET Inspect Server.

If the connection between ESET Inspect Server and ESET Inspect Connector is interrupted:

ESET Inspect Connector performs the evaluation, sends the triggered detections and collected raw events to the ESET Inspect Server after the restored connection

ESET Inspect Connector finds a match between the raw event and detection rule, which has a response action assigned, and only the Kill process executes immediately

If false positives and wrong executables are processed, in the Settings > Detection rules, you can uncheck the Automatically execute remediation actions specified by rules to disable automatic remediation actions.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear gear_icon icon for table options to manage the main table.

The rule window consists of the following parts:

Rule details

Summary of the rule.

Rule—The rule’s name.

Author—The user's name who was logged in at the time of the rule creation.

Last Edit—The date the rule was last edited.

Category—The category name found among category tags in the Edit Rule section.

SeverityShows the detection's severity: Threat alarm_severity_threat, Warning alarm_severity_warning or Infoalarm_severity_info

Severity Score—A precise severity definition: 1–39 > Info alarm_severity_info ; 40–69 > Warning alarm_severity_warning ; 70–100 > Threat alarm_severity_threat

Remediation actions—Click Select user actions to open rule options and choose actions.

Explanation—An explanation of the file's behavior.

Malicious Causes—The possible result of a file execution.

Benign Causes—Details about possibly unharmful activity.

MITRE ATT&CK™ TECHNIQUES—The MITRE ATT&CK™ TECHNIQUE ID, if contained.

Rerun Tasks—The number of tasks that are rerun using this rule.

Exclusions—The number of exclusions created for this rule.

Tags—Assigns detection tags from the existing list or create custom tags.

Edit Rule

You can add or edit the rules. On the right side, you can see the Syntax Reference; at the bottom, you can find the link to the Rules Guide.

Targets

You can see and assign or unassign computers or groups in this window.

Rerun Tasks

Provides similar information as the sub-tab Tasks in the More tab, except it shows only the rule's tasks.

Exclusions

Provides the same options as the Exclusions sub-tab in the More tab. Click a Detection to be redirected to the Detection details.

Click a rule name to take further action:

Details

Opens a summary.

Detections

Redirect to a rule's Detections view.

Exclusions

Go to a rule's Exclusions view.

Edit Rule

Redirect to Edit Rule section if the detection was raised by a rule.

Edit User Actions

Redirect to a rule's Edit User Actions section.

Change assignment

Go to a rule's Targets view.

Rerun Tasks

Go to a rule's Rerun Tasks view.

Create Exclusion

Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.

Enable

 

Disable

 

Delete

 

Save As

Creates a new rule with the desired name and opens rule editor.

Access group

Displays the currently assigned access group. Click Move to reassign access group.

Tags

Assigns detection tags from the existing list or create custom tags.

Filter

Show quick filters on the column where you activated the context menu (Show only this, Hide this).

Rerun Rules

Redirects you to Create rerun task window.

Export

Starts the rule’s export process to an XML file, depending on the web browser.

Import

Opens the import window for the XML rule file.