Detect security risks and identify anomalies by correlating signals across different sources.
Designed to empower you with enhanced detection capabilities, Correlated Intelligence
correlates suspicious signals from various sources to detect security risks and
anomalies.
NoteCurrently, Correlated Intelligence collects signals from Advance Spam Protection,
Malware Scanning, and Web Reputation.
|
One key advantage of Correlated Intelligence is its capability to see and analyze
signals
from multiple sources to identify security risks that may go unnoticed by a single
security filter. This multi-source approach adds an extra layer of protection to detect
potential threats.
Another highlight of Correlated Intelligence is its ability to alert you of anomalies,
which shows one or multiple signals that deviate from normal behaviors. Anomalies
may
not necessarily indicate a security risk, but are unusual enough to warrant attention.
With this feature, you can have a more comprehensive view of your security
landscape.
Correlated Intelligence operates by first gathering signals from various security
filters
and then matching the signals against a set of pre-defined or user-defined rules.
The
aim of this process is to identify any matches that could indicate a security risk
or
anomaly, providing a more thorough and nuanced analysis of potential security
threats.
NoteCorrelated Intelligence is currently available for Exchange Online.
|
Configuring Correlated Intelligence
Enable detection of security risks and anomalies through correlation of signals across different sources and specify the action to apply to any match.
Procedure
- Select Correlated Intelligence.
- Enable Correlated Intelligence.
Important
Enabling this toggle enforces all existing and future pre-defined correlation rules to automatically detect anomalies. You can work with the default settings in the Anomalies section or configure the settings to meet your requirements. - Configure Action settings for emails detected as
security risks.For details about the actions, see Actions available for different services.
- Turn on notification for Cloud App Security to send notification emails upon security risk detection.
- Determine to enforce all or partial pre-defined correlation rules to detect
anomalies.
- All pre-defined rulesThis option is automatically selected when you enable the Correlated Intelligence toggle.Trend Micro classifies its pre-defined correlation rules for anomaly detection into three aggressive levels: Moderate, Aggressive, and Extra aggressive. For details about these rules and what scenarios that rules of each aggressive level are suitable for, see Viewing correlation rules and detection signals.
-
Click the digit next to each aggressive level to view the associated pre-defined rules.
-
Select an action for anomaly detection of each threat type under each aggressive level.If you do not want to enforce rules of a certain aggressive level to a certain threat type, select Pass without logging as the action.
-
If you want to exclude certain pre-defined rules during anomaly detection, select the rules in the Exceptions area.
-
- Specified pre-defined rulesSelect one or multiple rules and then select an action for each rule.
For details about the actions, see Actions available for different services. - All pre-defined rules
- Turn on notification for Cloud App Security to send notification emails upon anomaly detection.
- Select one or multiple custom correlation rules, and then select an action for
each rule.In addition to the correlation rules predefined by Trend Micro, you can add custom correlation rules to accommodate detection requirements in your environment. For details, see Adding a custom correlation rule.
- Turn on notification for Cloud App Security to send notification emails upon anomaly detection.
- Configure Notification
settings.Notify administrator
-
Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups.
-
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.
-
Set the notification threshold which limits the number of notification messages to send. Threshold settings include:
-
Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).
-
Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.
-
Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
-
Notify UserSpecify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. -