Jump to content

Exclusions Criteria Trigger Event


tgr
Go to solution Solved by j91321,

Recommended Posts

Hi together

I think i have a simple question but i haven't found a solution anywhere.
We have detections and I want to create an exclusion for them.

But now my problem: The criteria for creating an exclusion for this detection is the trigger that triggers it.

So I want this detection to be seen as solved when the detection is triggered by a certain event.

When I create the extension, I can specify various things (cmd line, signer, process path starts) but not the trigger event. How could I do that?

 

Thank for the help!

Kind regards

 

Link to comment
Share on other sites

  • Administrators

You have posted in the General forum so it is not clear what product you are referring to. Is it ESET Inspect or ESET Inspect on-prem? Anyways, there's no such option to use the event as a criterion for ESET Inspect exclusions.

Link to comment
Share on other sites

Sorry, its ESET Inspect.

mh ok but what is the best way to deal with such detections? because they are not important but always appear and perhaps cover up other important things?
Is there an idea? or is that just the way it is?

Link to comment
Share on other sites

  • ESET Staff

It's not very clear what exactly are you asking about, an example with a screenshot would help us to better understand your problem.

On 3/26/2024 at 1:14 PM, tgr said:

So I want this detection to be seen as solved when the detection is triggered by a certain event.

Based on this I think you want to keep the detection, but automatically resolve it? If that's the case, MarkAsResolved action may be the thing you are looking for. Check the rule Common Misconfigurations or Recurring Detections [X9803] as an example on how to use the MarkAsResolved action.

Link to comment
Share on other sites

Posted (edited)

Ok thanks for the idea. Here again a description what I mean:

So I mean I have a detection (it doesn't matter which one because it occurs with different ones).

The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue)

Event:  CodeInjectionmsrdc.exe (ApcQueue)
 
What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from.

Do I now have to exclude this in the rules?

Edited by tgr
Link to comment
Share on other sites

Can nobody help me?

So I have a detection (it doesn't matter which one because it occurs with different ones).

The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue)

Event:  CodeInjectionmsrdc.exe (ApcQueue)
 
What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from.

Do I now have to exclude this in the rules?

 
 
  •  

 

Link to comment
Share on other sites

  • ESET Staff
  • Solution

It's not possible to automatically resolve them. MarkAsResolved works on detections. You can however prevent that event from triggering the detections in the first place. You can create an advanced exclusion with definition like this one:

    <definition>
      <operations>
        <operation type="CodeInjection">
          <operator type="AND">
            <condition component="CodeInjectionInfo" condition="is" property="CodeInjectionType" value="ApcQueue"/>
            <condition component="FileItem" condition="starts" property="Path" value="%PROGRAMFILES%\wsl\"/>
            <condition component="FileItem" condition="is" property="FileName" value="msrdc.exe"/>
          </operator>
        </operation>
      </operations>
    </definition>

and apply it to the rules it triggers, most likely:

  • Injection into trusted process [F0414b]
  • Injection from an unpopular process [F0415]

Similar exclusion already exists named: WSL2 Microsoft Remote Desktop Connection - [F0414b][F0415] although this one works for WSL installed from Windows Store. That may be a reason why it's triggering for you.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...