tgr 1 Posted March 26 Share Posted March 26 Hi together I think i have a simple question but i haven't found a solution anywhere. We have detections and I want to create an exclusion for them. But now my problem: The criteria for creating an exclusion for this detection is the trigger that triggers it. So I want this detection to be seen as solved when the detection is triggered by a certain event. When I create the extension, I can specify various things (cmd line, signer, process path starts) but not the trigger event. How could I do that? Thank for the help! Kind regards Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted March 26 Administrators Share Posted March 26 You have posted in the General forum so it is not clear what product you are referring to. Is it ESET Inspect or ESET Inspect on-prem? Anyways, there's no such option to use the event as a criterion for ESET Inspect exclusions. Link to comment Share on other sites More sharing options...
tgr 1 Posted March 26 Author Share Posted March 26 Sorry, its ESET Inspect. mh ok but what is the best way to deal with such detections? because they are not important but always appear and perhaps cover up other important things? Is there an idea? or is that just the way it is? Link to comment Share on other sites More sharing options...
ESET Staff j91321 8 Posted March 28 ESET Staff Share Posted March 28 It's not very clear what exactly are you asking about, an example with a screenshot would help us to better understand your problem. On 3/26/2024 at 1:14 PM, tgr said: So I want this detection to be seen as solved when the detection is triggered by a certain event. Based on this I think you want to keep the detection, but automatically resolve it? If that's the case, MarkAsResolved action may be the thing you are looking for. Check the rule Common Misconfigurations or Recurring Detections [X9803] as an example on how to use the MarkAsResolved action. Link to comment Share on other sites More sharing options...
tgr 1 Posted April 1 Author Share Posted April 1 (edited) Ok thanks for the idea. Here again a description what I mean: So I mean I have a detection (it doesn't matter which one because it occurs with different ones). The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue) Event: CodeInjectionmsrdc.exe (ApcQueue) What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from. Do I now have to exclude this in the rules? Edited April 1 by tgr Link to comment Share on other sites More sharing options...
tgr 1 Posted April 3 Author Share Posted April 3 Is it now clearer what I mean? Link to comment Share on other sites More sharing options...
tgr 1 Posted April 8 Author Share Posted April 8 Can nobody help me? So I have a detection (it doesn't matter which one because it occurs with different ones). The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue) Event: CodeInjectionmsrdc.exe (ApcQueue) What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from. Do I now have to exclude this in the rules? Link to comment Share on other sites More sharing options...
ESET Staff Solution j91321 8 Posted April 14 ESET Staff Solution Share Posted April 14 It's not possible to automatically resolve them. MarkAsResolved works on detections. You can however prevent that event from triggering the detections in the first place. You can create an advanced exclusion with definition like this one: <definition> <operations> <operation type="CodeInjection"> <operator type="AND"> <condition component="CodeInjectionInfo" condition="is" property="CodeInjectionType" value="ApcQueue"/> <condition component="FileItem" condition="starts" property="Path" value="%PROGRAMFILES%\wsl\"/> <condition component="FileItem" condition="is" property="FileName" value="msrdc.exe"/> </operator> </operation> </operations> </definition> and apply it to the rules it triggers, most likely: Injection into trusted process [F0414b] Injection from an unpopular process [F0415] Similar exclusion already exists named: WSL2 Microsoft Remote Desktop Connection - [F0414b][F0415] although this one works for WSL installed from Windows Store. That may be a reason why it's triggering for you. Link to comment Share on other sites More sharing options...
tgr 1 Posted April 29 Author Share Posted April 29 ok thanks for the idea I will try that! Link to comment Share on other sites More sharing options...
Recommended Posts