Actions

Actions tag allows you to specify a set of actions that are executed when the rule is triggered. Action names are:

•BlockModule—blocks DLL that is being loaded in the LoadDll event

•BlockParentProcessExecutable—blocks a parent process hash (only if not trusted or LiveGrid® info is missing)

•BlockProcessExecutable—blocks a process hash (ban hash via the rule, only if not trusted or LiveGrid® info is missing)

•BlockProcessSuspiciousModules—blocks a module marked as suspicious by MarkModuleSuspicious action

•CleanAndBlockModule—blocks dropped module in the ModuleDrop event

•CleanAndBlockParentProcessExecutable—cleans and blocks a parent process hash (only if not trusted or LiveGrid® info is missing)

•CleanAndBlockProcessExecutable—cleans and blocks a process hash (only if not trusted or LiveGrid® info is missing)

•CleanAndBlockProcessSuspiciousModules—cleans and blocks a module marked as suspicious by MarkModuleSuspicious action

•DropEvent—drops an event that triggered the rule

•HideCommandLine—do not save the command line of the proccess that triggered the rule

•IsolateFromNetwork—isolates the computer from the network

•KillParentProcess—kills parent of the running process that triggered the detection (only if not trusted or LiveGrid® info is missing)

•KillProcess—kills running process that triggered the detection (only if not trusted or LiveGrid® info is missing)

•LogOutUser—logs out the user from the operating system

•MarkAsCompromised—the process that triggered the rule will be marked as compromised. This status is visible in the process details view in ESET Inspect Web Console.

•MarkAsResolved—marks the currently evaluated detection as resolved

•MarkAsScript—marks an executable as a script

•MarkModuleSuspicious—marks a module as suspicious

•Reboot—reboots computer that triggered the detection

•ReportIncident—creates incident when the detection is triggered. You can aggregate detections into one incident using aggregateOn parameter. To specify time aggregation you can use aggregationParameter

 Possible aggregateOn parameter values are:

oComputers

oTime

oTimeAndComputers

•Shutdown—shutdowns computer that triggered the detection

•StoreEvent—stores events that triggered the detection from this rule regardless of other settings. You can use it if the events are not stored by default

•SubmitModuleToLiveGuard—submits module to ESET LiveGuard

•SubmitParentToLiveGuard—submits parent of the executable that triggered the detection to ESET LiveGuard

•SubmitToLiveGuard—submits executable that triggered the detection to ESET LiveGuard

•TriggerDetection—if you do not specify actions in the actions tag field, this action is executed by default and the detection triggers in ESET Inspect. If other actions are specified, and you still want to trigger detection, you must add this action