Server & Workload Protection enables you to create tags that you can use to identify and sort events. For example,
you might use tags to separate events that are benign from those that require further
investigation. You can use tags to create customized dashboards and reports.
Although you can use event tagging for a variety of purposes, it was designed to ease
the burden of event management. After you have analyzed an event and determined that
it is benign, you can look through the event logs of the computer (and any other similarly
configured and tasked computers) to find similar events and apply the same label to
them, eliminating the need to analyze each event individually.
To view tags that are currently in use, go to
.
NoteTags do not alter the data in the events themselves, nor do they allow users to delete
events. They are simply extra attributes provided by Server & Workload Protection.
|
You can perform tagging the following ways:
- Manual tagging lets you tag specific events as needed.
- Auto-tagging lets you use an existing event as the model for auto-tagging similar events on the same or other computers. You define the parameters for "similarity" by selecting which event attributes have to match the model event attributes for a tag to be applied.
- Trusted source tagging lets you auto-tag Integrity Monitoring events based on their similarity to known-good events from a trusted source.
NoteAn important difference between standard tagging and trusted source tagging is that
"Run on Existing Events Now" can only be done with standard event tagging.
|
Manual tagging
Procedure
- Go to and select an event list. Right-click the event (or select multiple events and right-click) and select Add Tag(s).
- Type a name for the tag. Server & Workload Protection will suggest matching names of existing tags as you type.
- Select The Selected [Event Type] Event. Click Next.
- Enter some optional comments and click Finish.
What to do next
In the events list, you can see your tag in the TAG(S) column.
Auto-tagging
Server & Workload Protection enables you to define rules that apply the same tag to similar events automatically.
To view existing saved auto-tagging rules, click Auto-Tagging in the menu bar on any Events page. You can run saved rules manually from this page.
Procedure
- Go to and select an event list. Right-click a representative event and select Add Tag(s).
- Type a name for the tag. Server & Workload Protection will suggest matching names of existing tags as you type.
- Select Apply to selected and similar [Event Type] Events and click Next.
- Select the computers where you want to auto-tag events and click Next. When applying tags to system events, this page is skipped.
- Select which attributes will be examined to determine whether events are similar. For the most part, the attribute options are the same as the information displayed in the columns of the Events list pages. When you have selected which attributes to include in the event selection process, click Next.
- On the next page, specify when events should be tagged. If you select Existing [Event Type] Events, you can select Apply Auto-Tag Rule now to apply the auto-tagging rule immediately, or Apply Auto-Tag Rule in the background to have it run in the background at a lower priority. Select Future [Event Type] Events to apply the auto-tagging rule to events that will happen in the future. You can also save the auto-tagging rule by selecting Save Auto-Tag Rule and optionally entering a name. Click Next.
- Review the summary of your auto-tagging rule and click Finish.
What to do next
In the events list, you can see that your original event and all similar events have
been tagged
NoteEvent tagging only occurs after events have been retrieved from the agents to the
Server & Workload Protection database.
|
Set the precedence for an auto-tagging rule
Once an auto-tagging rule is created, you can assign it a Precedence value. If the auto-tagging rule has been configured to run on future events, the
rule's precedence determines the order in which all auto-tagging rules are applied
to incoming events. For example, you can have a rule with a precedence value of "1"
that tags all "User Signed In" events as "suspicious", and a rule with a precedence
value of "2" that removes the "suspicious" tag from all "User Signed In" events where
the target (user) is you. This will result in a "suspicious" tag being applied to
all future "User Signed In" events where the user is not you.
Procedure
- In an events list, click Auto-Tagging to display a list of saved auto-tagging rules.
- Right-click an auto-tagging rule and select Details.
- In the General tab, select a Precedence for the rule.
What to do next
Auto-tagging log inspection events
Log inspection events are auto-tagged based upon their grouping in the log file structure.
This simplifies and automates the processing of log inspection events within Server & Workload Protection. You can use auto-tagging to automatically apply tags for the log inspection groups.
Log inspection rules have groups associated with them in the rules. For example:
<rule id="18126" level="3"> <if_sid>18101</if_sid> <id>^20158</id> <description>Remote access login success</description> <group>authentication_success,</group> </rule> <rule id="18127" level="8"> <if_sid>18104</if_sid> <id>^646|^647</id> <description>Computer account changed/deleted</description><group>account_changed,</group> </rule>
Each group name has a "friendly" name string associated with it. In the above example,
"authentication_success" would be "Authentication Success", "account_changed" would
be "Account Changed". When this checkbox is set, the friendly names are automatically
added as a tag for that event. If multiple rules trigger, multiple tags will be attached
to the event.
Trusted source tagging
NoteTrusted source event tagging can only be used with events generated by the Integrity
Monitoring protection module.
|
NoteFor customers who subscribed on or after July 12, 2021 and are using version 20.0.0-2593+
agents, the Trusted Common Baseline is no longer available. For customers who subscribed
before July 12, 2021, the button will be available until January 1, 2022. Events that
were tagged prior to July 12, 2021 will maintain their tags, but new Integrity Monitoring
events will need to be tagged using other methods.
|
The Integrity Monitoring module allows you to monitor system components and associated
attributes on a computer for changes. ("Changes" include creation and deletion as
well as edits.) Among the components that you can monitor for changes are files, directories,
groups, installed software, listening port numbers, processes, registry keys, and
so on.
Trusted source event tagging is designed to reduce the number of events that need
to be analyzed by automatically identifying events associated with authorized changes.
In addition to auto-tagging similar events, the Integrity Monitoring module allows
you to tag events based on their similarity to events and data found on Trusted Sources. A trusted source can be:
- A local trusted computer,
- The Trend Micro Certified Safe Software Service
- A trusted common baseline, which is a set of file states collected from a group of computers.
Local trusted computer
A trusted computer is a computer that will be used as a "model" computer that you
know will only generate benign or harmless events. A "target" computer is a computer
that you are monitoring for unauthorized or unexpected changes. The auto-tagging rule
examines events on target computers and compares them to events from the trusted computer.
If any events match, they are tagged with the tag defined in the auto-tagging rule.
You can establish auto-tagging rules that compare events on protected computers to
events on a trusted computer. For example, a planned rollout of a patch can be applied
to the trusted computer. The events associated with the application of the patch can
be tagged as "Patch X". Similar events raised on other systems can be auto-tagged
and identified as acceptable changes and filtered out to reduce the number of events
that need to be evaluated.
How does Server & Workload Protection determine whether an event on a target computer matches an event on a trusted source computer?
Integrity monitoring events contain information about transitions from one state to
another. In other words, events contain before and after information. When comparing events, the auto-tagging engine will look for matching
before and after states; if the two events share the same before and after states,
the events are judged to be a match and a tag is applied to the second event. This
also applies to creation and deletion events.
NoteRemember that when using a trusted computer for trusted source event tagging, the
events being tagged are events generated by Integrity Monitoring rules. This means
that the Integrity Monitoring rules that are generating events on the target computer
must also be running on the trusted source computer.
|
NoteTrusted source computers must be scanned for malware before applying trusted source
event tagging.
|
NoteUtilities that regularly make modifications to the content of files on a system (prelinking
on Linux, for example) can interfere with trusted source event tagging.
|
Tag events based on a local trusted computer
Procedure
- Make sure the trusted computer is free of malware by running a full anti-malware scan.
- Make sure the computer(s) on which you want to auto-tag events are running the same
(or some of the same) Integrity Monitoring rules as the trusted source computer.
- In the Server & Workload Protection console, go to and click Auto-Tagging in the toolbar.
- In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source to display the Tag Wizard.
- Select Local Trusted Computer and click Next.
- From the list, select the computer that will be the trusted source and click Next.
- Specify one or more tags to apply to events on target computers when they match events
on this trusted source computer. Click Next.
Note
You can enter the text for a new tag or select from a list of existing tags. - Identify the target computers whose events will be matched to those of the trusted
source. Click Next.
- Optionally, give the rule a name and click Finish.
What to do next
Tag events based on the Trend Micro Certified Safe Software Service
The Certified Safe Software Service is a list of known-good file signatures maintained
by Trend Micro. This type of trusted source tagging will monitor target computers
for file-related Integrity Monitoring events. When an event has been recorded, the
file's signature (after the change) is compared to Trend Micro's list of known good
file signatures. If a match is found, the event is tagged.
Procedure
- In the Server & Workload Protection console, go to and click Auto-Tagging in the toolbar.
- In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source to display the Tag Wizard.
- Select Certified Safe Software Service and click Next.
- Specify one or more tags to apply to events on target computers when they match the Certified Safe Software Service. Click Next.
- Identify the target computers whose events will be matched to the Certified Safe Software Service. Click Next.
- Optionally, give the rule a name and click Finish.
What to do next
Tag events based on a trusted common baseline
The trusted common baseline method compares events within a group of computers. A
group of computers is identified and a common baseline is generated based on the files
and system states targeted by the Integrity Monitoring rules in effect on the computers
in the group. When an Integrity Monitoring event occurs on a computer within the group,
the signature of the file after the change is compared to the common baseline. If
the file's new signature has a match elsewhere in the common baseline, a tag is applied
to the event. In trusted computer method, the before and after states of an Integrity
Monitoring event are compared, but in the trusted common baseline method, only the
after state is compared.
NoteThis method relies on all the computers in the common group being secure and free
of malware. A full anti-malware scan should be run on all the computers in the group
before the common baseline is generated.
|
NoteWhen an Integrity Monitoring baseline is generated for a computer, Server & Workload Protection will first check if that computer is part of a trusted common baseline group. If
it is, it will include the computer's baseline data in the trusted common baseline
for that group. For this reason, the trusted common baseline auto-tagging rule must
be in place before any Integrity Monitoring rules have been applied to the computers
in the common baseline group.
|
Procedure
- Make sure all the computers that will be in the group that will make up the trusted common baseline are free of malware by running a full anti-malware scan on them.
- In the Server & Workload Protection console, go to and click Auto-Tagging in the toolbar.
- In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source to display the Tag Wizard.
- Select Trusted Common Baseline and click Next.
- Specify one or more tags to apply to events when they have a match in the trusted common baseline and click Next.
- Identify the computers to include in the group used to generate the trusted common baseline. Click Next.
- Optionally, give this rule a name and click Finish.
What to do next
Delete a tag
Procedure
- In an events list, right-click the events with the tag you want to delete, and select Remove Tag(s).
- Select the tag you'd like to remove. Choose to remove the tag from The Selected [Event Type] Event or to Apply to selected similar [Event Type] Events. Click Next.
- Enter some optional comments and click Finish.