Views:

Manage predefined and custom correlation rules and detection signals that you can use for anomaly detection by Correlated Intelligence.

Procedure

  1. Go to PoliciesGlobal SettingsCorrelated IntelligenceCorrelation Rules and Detection Signals.
  2. Click Correlation Rules to view the predefined and custom rules used by Correlated Intelligence for anomaly detection.
  3. On the Correlation Rules tab, click a rule name to view details about a predefined rule or modify a custom rule.
    Trend Micro defines a set of correlation rules and detection signals, and continually introduces new rules and signals. Each predefined rule consists of one or multiple predefined detection signals. View the details about a rule to understand what the rule is about, what detection signals are used, and how the rule is matched.
    Trend Micro classifies its predefined correlation rules for anomaly detection into three aggressive levels: Moderate, Aggressive, and Extra aggressive.
    • Moderate: This level is designed to seek a balance between effective anomaly detection and maintaining a relatively low rate of false positives. It is suitable for everyday monitoring and for customers who prefer a safer approach without significant disruptions to their regular email flow.
    • Aggressive: This level increases the sensitivity of anomaly detection and offers a more robust detection capability, which may result in a higher number of false positives. It is tailored for customers who require more stringent security measures to combat sophisticated attacks and are willing to accept some trade-offs in false alerts.
    • Extra aggressive: This highest level of aggression is recommended for critical situations, such as during an active attack or after a security breach has been identified. It provides the most aggressive form of prevention but may significantly impact normal email communication due to the high likelihood of false positives.
    You can add custom correlation rules to accommodate detection requirements in your environment. For details, see Adding a custom correlation rule.
  4. Click Detection Signals to view the predefined and custom detection signals used by correlation rules for anomaly detection.
  5. On the Detection Signals tab, click a signal name to view details about a predefined signal or modify a custom signal.
    You can add custom detection signals by using predefined conditions to meet your unique requirements. For details, see Adding a custom detection signal.
Related information