Detect security risks and identify anomalies by correlating signals across different sources.
Designed to empower you with enhanced detection capabilities, Correlated Intelligence
correlates suspicious signals from various sources to detect security risks and
anomalies.
NoteCurrently, Correlated Intelligence collects signals from Advance Spam Protection,
Malware Scanning, and Web Reputation.
|
One key advantage of Correlated Intelligence is its capability to see and analyze
signals
from multiple sources to identify security risks that may go unnoticed by a single
security filter. This multi-source approach adds an extra layer of protection to detect
potential threats.
Another highlight of Correlated Intelligence is its ability to alert you of anomalies,
which shows one or multiple signals that deviate from normal behaviors. Anomalies
may
not necessarily indicate a security risk, but are unusual enough to warrant attention.
With this feature, you can have a more comprehensive view of your security
landscape.
Correlated Intelligence operates by first gathering signals from various security
filters and then matching the signals against the predefined or user-defined rules.
The aim of this process is to identify any matches that could indicate a security
risk or anomaly, providing a more thorough and nuanced analysis of potential security
threats.
Cloud App Security comes with a set of predefined correlation rules and detection signals to detect Trend Micro specified security risks and anomalies. You can also define custom detection signals that are unique and critical to your
environment, and then incorporate them into custom correlation rules. This provides
you with flexibility of configuring Correlated Intelligence policies that meet your
actual needs.
NoteCorrelated Intelligence is currently available for Exchange Online.
|
Configuring Correlated Intelligence
Enable detection of security risks and anomalies through correlation of signals across different sources and specify the action to apply to any match.
Procedure
- Select Correlated Intelligence.By default, this security filter is enabled with the following settings:
-
The action for security risk detection is set to Quarantine.
-
All pre-defined rules is selected for anomaly detection. This enforces all existing and future predefined correlation rules to automatically detect anomalies.
You can work with the default settings or configure the settings to meet your requirements. -
- Configure Action settings for emails detected as
security risks.For details about the actions, see Actions available for different services.
- Turn on notification for Cloud App Security to send notification emails upon security risk detection.
- Determine to enforce all or partial predefined correlation rules to detect anomalies.
- All pre-defined rulesThis option is automatically selected when you enable the Correlated Intelligence toggle.Trend Micro classifies its predefined correlation rules for anomaly detection into three aggressive levels: Moderate, Aggressive, and Extra aggressive. For details about these rules and what scenarios that rules of each aggressive level are suitable for, see Viewing correlation rules and detection signals.
-
Click the digit next to each aggressive level to view the associated predefined rules.
-
Select an action for anomaly detection of each threat type under each aggressive level.If you do not want to enforce rules of a certain aggressive level to a certain threat type, select Pass without logging as the action.
-
If you want to exclude certain predefined rules during anomaly detection, select the rules in the Exceptions area.
-
- Specified pre-defined rulesSelect one or multiple rules and then select an action for each rule.
For details about the actions, see Actions available for different services. - All pre-defined rules
- Turn on notification for Cloud App Security to send notification emails upon anomaly detection.
- Turn on Warning banner to display a cautionary message at the top of the email body when end users receive
an email flagged as an anomaly by predefined correlation rules.The banner explains the reason for the warning, advising end users to exercise caution when interacting with the email. Click Preview to see how the warning banner will appear in end users' mailboxes.Upon configuration, Cloud App Security can activate the options in the warning banner for end users to report emails as spam, phishing, wanted, or not a risk to Trend Micro or specified administrators. This serves as another approach, in addition to the Add-in for Outlook, to help improve threat detection by allowing end users to report emails.You can also choose to alert end users about potential risks without activating the reporting actions. To disable these actions, turn off Report to Trend Micro and Report to administrators in Email reporting.. For details, seeTo get visibility into the emails reported by end users, go to User-reported emails.. For details, see
- Select one or multiple custom correlation rules, and then select an action for
each rule.In addition to the correlation rules predefined by Trend Micro, you can add custom correlation rules to accommodate detection requirements in your environment. For details, see Adding a custom correlation rule.
- Turn on notification for Cloud App Security to send notification emails upon anomaly detection.
- Configure Notification
settings.Notify administrator
-
Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups.
-
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.
-
Set the notification threshold which limits the number of notification messages to send. Threshold settings include:
-
Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).
-
Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.
-
Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
-
Notify UserSpecify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. -
- Click Save.You can check the detection results and learn about the reasons behind the detections in the screen.