Modifying a Risk Control Rule in Classic View

Modify a risk control rule in classic view.

When a user or device matches the criteria in a risk control rule, based on the actions configured, Trend Micro Vision One monitors the user or device's subsequent activity and takes action when the monitored activity occurs. For example, when a user with a persistent high risk score attempts to sign in to a new browser session or access an internal app of your organization the action could be blocked.

Note:

Some risk control rules types can be modified in classic view. New risk control rules must be created in playbook view.

  1. On the Secure Access Rules screen, click the Risk Control tab and then click a rule name.
  2. If the modify rule screen appears in playbook view, click Switch to Classic View.
    Note:

    Classic view is not available for all risk control rule types.

  3. Select Risk Control from the Template type drop-down list.

    The available templates appear in the list. For more information about the templates, see Secure Access Rule Templates.

  4. Click a template name.

    The rule configuration screen appears.

    You can choose another rule template from the Rule template drop-down list. The configuration items vary with the template.

  5. Specify a unique name and a description for the rule.
  6. (Optional) To enable or disable the rule, click the toggle next to Status.
    Tip:

    You can also enable or disable rules on the Secure Access Rules tab.

  7. Configure the following rule factors.
    Table 1. Actions

    Rule Factor

    Description

    Options

    Risk Events

    The risky behavior or action that triggers the rule

    Select from the list of risky events predefined by Trend Micro.

    Note:

    This rule factor may or may not appear depending on the rule template.

    Risk Score

    The user risk score that triggers the rule

    Select a minimum risk score or a range, and then select the time period.

    Note:

    This rule factor may or may not appear depending on the rule template.

    Source (for user-targeted rules)

    The user/groups that the rule applies to

    User/user groups

    Specify users and groups from your IAM system.

    Note:

    If you have configured more than one IAM system, the IAM system with SSO enabled applies.

    Source (for device-targeted rules)

    The devices that the rule applies to

    Select all or specific targets, that is, users or device platforms, that the rule applies to.

    Note:

    Currently, only All devices is supported.

    Schedule

    The weekly period that the rule is applied

    To configure the recurrence of the schedule, select Only apply the rule during the specified period, and then select a start date and end date.

    Note:

    The schedule uses the defined time zone of the console.

    Action (for user-targeted rules)

    The action taken on user account when the rule is triggered

    Access control

    When a user or device matches the rule criteria, Trend Micro Vision One takes configured actions to control the user or device's subsequent sign-in or app access activity.

    For more information about actions, see Zero Trust Actions.

    • Sign-in attempt: Control user access by monitoring sign-in attempts, disabling user accounts, or forcing sign out and password reset

    • Private access: Block or monitor user access to your organization's internal apps configured on the Trend Micro Vision One console

    • Internet access: Block or monitor user access to cloud apps and external URLs on the internet

    Revoke actions

    Click the toggle next to Revoke actions to revoke the following actions when certain criteria are matched.

    • Disable User Account
    • Block Internal App Access
    • Block Cloud App/URL Access

    By default, this option is enabled.

    Action (for device-targeted rules)

    The action taken on device when the rule is triggered

    Access control
    • Isolate Endpoint: Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product

      Important:

      The Zero Trust Secure Access app sends the command to the Response Management app to take the action. Make sure that at least one of the following supported agents is installed on your devices: Trend Micro Vision One, Apex One as a Service, Cloud One - Workload Security. For more information, see Response Actions.

    • Private access: Block or monitor device access to your organization's internal apps configured on the Trend Micro Vision One console

    • Internet access: Block or monitor device access to cloud apps and external URLs on the internet

    Revoke actions

    Click the toggle next to Revoke actions to revoke the following actions when certain criteria are matched.

    • Isolate Endpoint
    • Block Internal App Access
    • Block Cloud App/URL Access
  8. Click Save.

    The rule is successfully created and listed on the Secure Access Rules screen.