Exclusions Criteria Trigger Event

[tgr 1]

Hi together

I think i have a simple question but i haven't found a solution anywhere.
We have detections and I want to create an exclusion for them.

But now my problem: The criteria for creating an exclusion for this detection is the trigger that triggers it.

So I want this detection to be seen as solved when the detection is triggered by a certain event.

When I create the extension, I can specify various things (cmd line, signer, process path starts) but not the trigger event. How could I do that?

 

Thank for the help!

Kind regards

 

[Marcos 5,074]

You have posted in the General forum so it is not clear what product you are referring to. Is it ESET Inspect or ESET Inspect on-prem? Anyways, there's no such option to use the event as a criterion for ESET Inspect exclusions.

[tgr 1]

Sorry, its ESET Inspect.

mh ok but what is the best way to deal with such detections? because they are not important but always appear and perhaps cover up other important things?
Is there an idea? or is that just the way it is?

[j91321 5]

It's not very clear what exactly are you asking about, an example with a screenshot would help us to better understand your problem.

On 3/26/2024 at 1:14 PM, tgr said:

So I want this detection to be seen as solved when the detection is triggered by a certain event.

Based on this I think you want to keep the detection, but automatically resolve it? If that's the case, MarkAsResolved action may be the thing you are looking for. Check the rule Common Misconfigurations or Recurring Detections [X9803] as an example on how to use the MarkAsResolved action.

[tgr 1]

Ok thanks for the idea. Here again a description what I mean:

So I mean I have a detection (it doesn't matter which one because it occurs with different ones).

The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue)

Event:  CodeInjectionmsrdc.exe (ApcQueue)

 

What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from.

Do I now have to exclude this in the rules?

Edited April 1 by tgr

[tgr 1]

Is it now clearer what I mean?

[tgr 1]

Can nobody help me?

So I have a detection (it doesn't matter which one because it occurs with different ones).

The triggerin Event is: CodeInjection %PROGRAMFILES%\wsl\msrdc.exe (APC queue)

Event:  CodeInjectionmsrdc.exe (ApcQueue)

 

What I want now is that such detections with this trigger event are automatically resolved.Because for me these messages are finished, I know where they come from.

Do I now have to exclude this in the rules?

 

 

•  

 

[j91321 5]

It's not possible to automatically resolve them. MarkAsResolved works on detections. You can however prevent that event from triggering the detections in the first place. You can create an advanced exclusion with definition like this one:

    <definition>
      <operations>
        <operation type="CodeInjection">
          <operator type="AND">
            <condition component="CodeInjectionInfo" condition="is" property="CodeInjectionType" value="ApcQueue"/>
            <condition component="FileItem" condition="starts" property="Path" value="%PROGRAMFILES%\wsl\"/>
            <condition component="FileItem" condition="is" property="FileName" value="msrdc.exe"/>
          </operator>
        </operation>
      </operations>
    </definition>

and apply it to the rules it triggers, most likely:

• Injection into trusted process [F0414b]
• Injection from an unpopular process [F0415]

Similar exclusion already exists named: WSL2 Microsoft Remote Desktop Connection - [F0414b][F0415] although this one works for WSL installed from Windows Store. That may be a reason why it's triggering for you.