Creating a Risk Control Rule in Classic View

Configure a secure access rule to control a user or device' sign-in or app access activity based on their risk scores or risks discovered in them.

When a user or device matches the criteria in a risk control rule, based on the actions configured, Trend Micro Vision One monitors the user or device's subsequent activity and takes action when the monitored activity occurs, for example, a user with a persistent high risk score attempts to sign in to a new browser session or access an internal app of your organization.

  1. On the Secure Access Rules screen, click the Risk Control tab and then click Create Rule from Template.
  2. Select Risk Control from the Template type drop-down list.

    The available templates appear in the list. For more information about the templates, see Secure Access Rule Templates.

  3. Click a template name.

    The rule configuration screen appears.

    You can choose another rule template from the Rule template drop-down list. The configuration items vary with the template.

  4. Specify a unique name and a description for the rule.

    By default, the rule template name and description are displayed as the rule name and description.

  5. Click the toggle next to Status to enable or disable the rule.

    You can also choose to enable or disable a rule on the Secure Access Rules screen after you create the rule.

  6. Select all or specific targets, that is, users or device platforms, that the rule applies to.
    Note:

    In this release, only All devices is supported.

  7. Select the periods of time that the rule applies to.

    Options include:

    • Always: The rule takes effect all the time once created and enabled.

    • Custom: Customize the time and date when the rule takes effect.

    Note:

    Trend Micro Vision One applies the rule according to the current time zone specified for the Trend Micro Vision One console.

  8. Configure the Act when rule factor based on the rule template you chose.

    This determines the criteria on which users or devices hit the rule.

  9. Select an action.

    When a user or device matches the rule criteria, Trend Micro Vision One takes configured actions to control the user or device's subsequent sign-in or app access activity. For more information about actions, see Zero Trust Actions.

    Table 1. Actions for User-Targeted Rules

    User Behavior

    Action

    Sign-in attempt

    Whether to allow the user to sign in to a new application or browser session or continue with a currently active application or browser session

    Options include:

    • Monitor Sign-In Attempt

    • Disable User Account

    • Force Sign Out

    • Force Password Reset

    Internal app access

    Whether to allow the user to access your organization's internal apps configured on the Trend Micro Vision One console

    Options include:

    • Block Internal App Access

    • Monitor Internal App Access

    Cloud app/URL access

    Whether to allow the user to access cloud apps and external URLs on the internet

    Options include:

    • Block Cloud App/URL Access

    • Monitor Cloud App/URL Access

    Table 2. Actions for Device-Targeted Rules

    Device Behavior

    Action

    Isolate Endpoint

    Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product

    Important:

    The Zero Trust Secure Access app sends the command to the Response Management app to take the action. Make sure that at least one of the following supported agents is installed on your devices: Trend Micro Vision One, Apex One as a Service, Cloud One - Workload Security. For more information, see Response Actions.

    Internal app access

    Allows or blocks use of the device to access your organization's internal apps configured on the Trend Micro Vision One console

    Options include:

    • Block Internal App Access

    • Monitor Internal App Access

    Important:

    Internal app access control in device-targeted rules applies only to devices deployed with the Secure Access Module. Make sure that you have deployed the Module to your devices and configured the Private Access Service in the Zero Trust Secure Access app.

  10. Click the toggle next to Revoke actions to determine whether to automatically enable user account or allow app access (if actions Disable User Account and Block Internal App Access are enforced) when certain criteria are matched.

    By default, this option is enabled.

  11. Click Save.

    The rule is successfully created and listed on the Secure Access Rules screen.