Macchia

Hi Marcos and JamesR, Thanks for your clear and helpful guidance. Your insights were valuable. To ensure I've got everything set up correctly and to potentially aid others on the forum, I'd like to share the complete rule code based on your recommendations: <process> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="software.exe"/> <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="5"/> </operator> </process> <operations> <operation type="TcpIpProtocolIdentified"> <condition component="Network" property="IpAddressV4" condition="is" value="13.69.128.10"/> </operation> </operations> Could you please confirm if the above is correctly formulated? If it's all good, it may serve as a useful reference for anyone else working on similar configurations. Thanks again for your time and support!

Hi, I'm fine-tuning exclusion rules in ESET Inspect and need some guidance on specifying a network-related condition. There's an executable in our environment that's connecting to a known and trusted IP address. However, it's being flagged for SSL communication on a non-standard port, which I need to suppress in our detections. The exclusion rule I'm working with takes the file's LiveGrid reputation into account, and now I want to add a condition that checks for the specific remote IP address it connects to. The current setup of my rule is as follows: <operation type="TcpIpProtocolIdentified"> <condition component="Network" property="_________" condition="is" value="13.69.128.10"/> </operation> Could you advise on which property of the Network component I should use to correctly filter based on the IP address? Appreciate your insights!