tgr 0 Posted January 17 Share Posted January 17 Hello I have a question about exclusions. If I make an exclusion for a rule, do I still see those messages somewhere in the logs? Because without exclusions there are too many messages, but it would be important for us if it is still logged somewhere (to be able to track it in case of an incident). Thanks and kind regards! Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,553 Posted January 18 Administrators Share Posted January 18 You can re-run rules while ignoring exclusions. If you do not select to add detections to the main detections table immediately, you will be able to review the matched detections first in the re-run task details: Quote Link to comment Share on other sites More sharing options...
TradeLabelSoftware 0 Posted January 19 Share Posted January 19 This is such a common problem and the solution you provided didn't work. So can you provide a better solution. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,553 Posted January 19 Administrators Share Posted January 19 With ESET Inspect 1.8+, rules are evaluated on clients by default. You would see records like this in the EI connector logs for excluded events: 2023-01-19 11:07:53 013a4 Debug: Rule "Notepad has been started"(1104) matching was excluded by "Exclusion for rule: Notepad has been started"(224) on CreateProcess(10) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.