tgr 1 Posted March 26 Share Posted March 26 Hi together I think i have a simple question but i haven't found a solution anywhere. We have detections and I want to create an exclusion for them. But now my problem: The criteria for creating an exclusion for this detection is the trigger that triggers it. So I want this detection to be seen as solved when the detection is triggered by a certain event. When I create the extension, I can specify various things (cmd line, signer, process path starts) but not the trigger event. How could I do that? Thank for the help! Kind regards Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 26 Administrators Share Posted March 26 You have posted in the General forum so it is not clear what product you are referring to. Is it ESET Inspect or ESET Inspect on-prem? Anyways, there's no such option to use the event as a criterion for ESET Inspect exclusions. Quote Link to comment Share on other sites More sharing options...
tgr 1 Posted March 26 Author Share Posted March 26 Sorry, its ESET Inspect. mh ok but what is the best way to deal with such detections? because they are not important but always appear and perhaps cover up other important things? Is there an idea? or is that just the way it is? Quote Link to comment Share on other sites More sharing options...
ESET Staff j91321 5 Posted March 28 ESET Staff Share Posted March 28 It's not very clear what exactly are you asking about, an example with a screenshot would help us to better understand your problem. On 3/26/2024 at 1:14 PM, tgr said: So I want this detection to be seen as solved when the detection is triggered by a certain event. Based on this I think you want to keep the detection, but automatically resolve it? If that's the case, MarkAsResolved action may be the thing you are looking for. Check the rule Common Misconfigurations or Recurring Detections [X9803] as an example on how to use the MarkAsResolved action. Quote Link to comment Share on other sites More sharing options...
tgr 1 Posted April 1 Author Share Posted April 1 (edited) Ok thanks for the idea. Here again a description what I mean: So I mean I have a detection (it doesn't matter which one because it occurs with different ones). The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue) Event: CodeInjectionmsrdc.exe (ApcQueue) What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from. Do I now have to exclude this in the rules? Edited April 1 by tgr Quote Link to comment Share on other sites More sharing options...
tgr 1 Posted April 3 Author Share Posted April 3 Is it now clearer what I mean? Quote Link to comment Share on other sites More sharing options...
tgr 1 Posted April 8 Author Share Posted April 8 Can nobody help me? So I have a detection (it doesn't matter which one because it occurs with different ones). The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue) Event: CodeInjectionmsrdc.exe (ApcQueue) What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from. Do I now have to exclude this in the rules? Quote Link to comment Share on other sites More sharing options...
ESET Staff j91321 5 Posted April 14 ESET Staff Share Posted April 14 It's not possible to automatically resolve them. MarkAsResolved works on detections. You can however prevent that event from triggering the detections in the first place. You can create an advanced exclusion with definition like this one: <definition> <operations> <operation type="CodeInjection"> <operator type="AND"> <condition component="CodeInjectionInfo" condition="is" property="CodeInjectionType" value="ApcQueue"/> <condition component="FileItem" condition="starts" property="Path" value="%PROGRAMFILES%\wsl\"/> <condition component="FileItem" condition="is" property="FileName" value="msrdc.exe"/> </operator> </operation> </operations> </definition> and apply it to the rules it triggers, most likely: Injection into trusted process [F0414b] Injection from an unpopular process [F0415] Similar exclusion already exists named: WSL2 Microsoft Remote Desktop Connection - [F0414b][F0415] although this one works for WSL installed from Windows Store. That may be a reason why it's triggering for you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.