tgr 1 Posted March 26, 2024 Posted March 26, 2024 Hi together I think i have a simple question but i haven't found a solution anywhere. We have detections and I want to create an exclusion for them. But now my problem: The criteria for creating an exclusion for this detection is the trigger that triggers it. So I want this detection to be seen as solved when the detection is triggered by a certain event. When I create the extension, I can specify various things (cmd line, signer, process path starts) but not the trigger event. How could I do that? Thank for the help! Kind regards
Administrators Marcos 5,730 Posted March 26, 2024 Administrators Posted March 26, 2024 You have posted in the General forum so it is not clear what product you are referring to. Is it ESET Inspect or ESET Inspect on-prem? Anyways, there's no such option to use the event as a criterion for ESET Inspect exclusions.
tgr 1 Posted March 26, 2024 Author Posted March 26, 2024 Sorry, its ESET Inspect. mh ok but what is the best way to deal with such detections? because they are not important but always appear and perhaps cover up other important things? Is there an idea? or is that just the way it is?
ESET Staff j91321 10 Posted March 28, 2024 ESET Staff Posted March 28, 2024 It's not very clear what exactly are you asking about, an example with a screenshot would help us to better understand your problem. On 3/26/2024 at 1:14 PM, tgr said: So I want this detection to be seen as solved when the detection is triggered by a certain event. Based on this I think you want to keep the detection, but automatically resolve it? If that's the case, MarkAsResolved action may be the thing you are looking for. Check the rule Common Misconfigurations or Recurring Detections [X9803] as an example on how to use the MarkAsResolved action.
tgr 1 Posted April 1, 2024 Author Posted April 1, 2024 (edited) Ok thanks for the idea. Here again a description what I mean: So I mean I have a detection (it doesn't matter which one because it occurs with different ones). The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue) Event: CodeInjectionmsrdc.exe (ApcQueue) What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from. Do I now have to exclude this in the rules? Edited April 1, 2024 by tgr
tgr 1 Posted April 8, 2024 Author Posted April 8, 2024 Can nobody help me? So I have a detection (it doesn't matter which one because it occurs with different ones). The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue) Event: CodeInjectionmsrdc.exe (ApcQueue) What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from. Do I now have to exclude this in the rules?
ESET Staff Solution j91321 10 Posted April 14, 2024 ESET Staff Solution Posted April 14, 2024 It's not possible to automatically resolve them. MarkAsResolved works on detections. You can however prevent that event from triggering the detections in the first place. You can create an advanced exclusion with definition like this one: <definition> <operations> <operation type="CodeInjection"> <operator type="AND"> <condition component="CodeInjectionInfo" condition="is" property="CodeInjectionType" value="ApcQueue"/> <condition component="FileItem" condition="starts" property="Path" value="%PROGRAMFILES%\wsl\"/> <condition component="FileItem" condition="is" property="FileName" value="msrdc.exe"/> </operator> </operation> </operations> </definition> and apply it to the rules it triggers, most likely: Injection into trusted process [F0414b] Injection from an unpopular process [F0415] Similar exclusion already exists named: WSL2 Microsoft Remote Desktop Connection - [F0414b][F0415] although this one works for WSL installed from Windows Store. That may be a reason why it's triggering for you.
Recommended Posts