Jump to content

Reduce the triggered events


Recommended Posts


I understand that currently there is an event triggered.

May I ask how to set up rules for triggering?

The desired frequency for recurring events is once a day or once an hour.

image.thumb.png.e331dcfff6c443de4233f7b9c3b35dde.png

Link to comment
Share on other sites

  • ESET Staff

How often a rule triggers on an event, is dependent on a customer's environment.  If a new process starts, and exhibits a behavior which would trigger a rule, that process will trigger the rule.

From your screenshot you can see there is a different "Process Name (ID)" for each detection and the same executable each time.  This tells me that the executable "7kmdtosm.exe" is being executed multiple times and performing actions which trigger rule "[C0628]".

If you have confirmed these detections are not a sign of an attack, you can stop the rule from triggering on this behavior by creating an exclusion.  I would recommend using the following Advanced Exclusion as a starting point.

The following is an example of how to start building an exclusion for rule [C0628].  Ensure you customize this to match what you are seeing in your own environment.

<definition>
    <process>
        <operator type="and">
            <condition component="FileItem" property="FullPath" condition="is" value="C:\Full\Path\to\7kmdtosm.exe" />
        </operator>
    </process>
    <!-- Following Operations describe the location and file extension which 7kmdtosm.exe would be writting to.  You will need to ensure this matches data you see in your own environment by using the "Trigger Event" column in a detections list, or by opening the details of a detection and looking for the Trigger Event section. -->
    <operations>
        <operation type="WriteFile">
            <operator type="and">
                <condition component="FileItem" property="Path" condition="is" value="%HOME%\Documents" />
                <condition component="FileItem" property="Extension" condition="is" value="xyz" />
            </operator>
        </operation>
        <operation type="RenameFile">
            <operator type="and">
                <condition component="FileItem" property="Path" condition="is" value="%HOME%\Documents" />
                <condition component="FileItem" property="Extension" condition="is" value="xyz" />
            </operator>
        </operation>
    </operations>
</definition>

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...