Correlated Intelligence

Procedure

1. Select Correlated Intelligence.
2. Select Enhance with Agentic AI detection.
   This option enables the Agentic AI-powered detection model in Correlated Intelligence to detect spam and more phishing emails.

   Note Currently, Agentic AI-powered detection applies to security risks only.

3. Configure settings on the Security Risks tab.
   Security risks are high-confidence detections by Correlated Intelligence. These are usually sophisticated attacks that are difficult to detect with a single protection layer. Correlated Intelligence combines signals from various sources and leverages an Agentic AI-powered detection module (if enabled) to identify advanced attacks designed to bypass traditional, layer-by-layer defenses.
   1. Configure Action settings for each security risk type.
      You can work with the default settings or configure the settings to meet your requirements.

      For details about the actions, see Actions available for different services.
   2. Turn on notification for Cloud Email and Collaboration Protection to send notification emails upon security risk detection.
   3. (Exchange Online only) Turn on Warning banner to display a cautionary message at the top of the email body when end users receive an email flagged as phishing or spam by predefined correlation rules or Agentic AI.
      The banner explains the reason for the warning, advising end users to exercise caution when interacting with the email. Click Preview to see how the warning banner will appear in end users' mailboxes.

      Upon configuration, Cloud Email and Collaboration Protection can activate the options in the warning banner for end users to report emails as spam, phishing, wanted, or not a risk to Trend Micro or specified administrators. This serves as another approach, in addition to the Add-in for Outlook, to help improve threat detection by allowing end users to report emails. When receiving a reported email, Cloud Email and Collaboration Protection can send a confirmation email to the end user.

      You can also choose to alert end users about potential risks without activating the reporting actions. To disable these actions, turn off Report to Trend Micro and Report to administrators in Administration → Email Reporting. For details, see Email reporting.

      To get visibility into the emails reported by end users, go to Operations → User-Reported Emails. For details, see User-reported emails.
4. Configure settings on the Anomalies tab.
   1. Determine to enforce all or partial predefined correlation rules to detect anomalies.
      • All pre-defined rules
        This option is automatically selected when you enable the Correlated Intelligence toggle.
        Trend Micro classifies its predefined correlation rules for anomaly detection into three aggressive levels: Moderate, Aggressive, and Extra aggressive. For details about these rules and what scenarios that rules of each aggressive level are suitable for, see Viewing correlation rules and detection signals.
        Selecting All pre-defined rules enforces all existing and future predefined correlation rules to automatically detect anomalies.
        1. Click the digit next to each aggressive level to view the associated predefined rules.
        2. Select an action for anomaly detection of each threat type under each aggressive level.
           If you do not want to enforce rules of a certain aggressive level to a certain threat type, select Pass without logging as the action.
           For details about the actions, see Actions available for different services.
        3. If you want to exclude certain predefined rules during anomaly detection, select the rules in the Exceptions area.
      • Specified pre-defined rules
        Select one or multiple rules and then select an action for each rule.

      Important Anomaly detection by Correlated Intelligence correlation rules may not always indicate malicious activity; they align with certain suspicious signals and can vary in effectiveness and expectation. We recommend initially setting actions to Tag subject, Add disclaimer, or Label email to monitor outcomes before applying stronger actions. You can also create custom correlation rules and add them in the Custom Correlated Intelligence section to better fit your environment.

   2. Turn on notification for Cloud Email and Collaboration Protection to send notification emails upon anomaly detection.
   3. (Exchange Online only) Turn on Warning banner to display a cautionary message at the top of the email body when end users receive an email flagged as an anomaly by predefined correlation rules.
      You can also choose to alert end users about potential risks without activating the reporting actions. To disable these actions, turn off Report to Trend Micro and Report to administrators in Administration → Email Reporting. For details, see Email reporting.

      To get visibility into the emails reported by end users, go to Operations → User-Reported Emails. For details, see User-reported emails.
5. Configure settings on the Custom Correlated Intelligence tab.
   1. Select one or multiple custom correlation rules, and then select an action for each rule.
      In addition to the correlation rules predefined by Trend Micro, you can add custom correlation rules to accommodate detection requirements in your environment. For details, see Adding a custom correlation rule.
   2. Turn on notification for Cloud Email and Collaboration Protection to send notification emails upon anomaly detection.
6. Configure settings on the Notification & Approved List tab.
   1. Configure Notification settings.

      Notify administrator	Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups. Specify message details to notify administrators that Cloud Email and Collaboration Protection detected a security risk and took action on an email message, attachment, or file. Set the notification threshold which limits the number of notification messages to send. Threshold settings include: Send consolidated notifications periodically: Cloud Email and Collaboration Protection sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s). Send consolidated notifications by occurrences: Cloud Email and Collaboration Protection sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box. Send individual notifications: Cloud Email and Collaboration Protection sends an email message notification every time Cloud Email and Collaboration Protection performs a filtering action.
      Notify User	Specify message details that notify recipients that Cloud Email and Collaboration Protection detected a security risk and took action on their email message or attachment.

   2. Click the Approved List tab and configure the approved sender list.
      1. Enable the approved sender list.
      2. Specify a sending email address or domain to bypass Correlated Intelligence scanning and click Add >.

         Note You can use the wildcard character (*) to represent any characters in the email address or domain name. Examples: *@example.com, name@*.com, *@*.example.com The following formats are invalid: *@*, *

      3. Optionally click Import to import sender email addresses in batches, or click Export to export and download the approved senders to your local machine.
7. Click Save.
   You can check the detection results and learn about the reasons behind the detections in the Operations → Correlated Intelligence screen.