Creating a Risk Control Rule

Configure a secure access rule to control a user or device' app access activity based on their risk score or risks discovered in them.

When a user or device matches the criteria in a risk control rule, based on the actions configured, Trend Micro Vision One monitors the user or device's subsequent activity and takes action when the monitored activity occurs, for example, a user with a persistent high risk score attempts to sign in to a new browser session or access an internal app of your organization.

  1. On the Secure Access Rules screen, click Create Rule.
  2. Select Risk Control from the Template type drop-down list.

    The available templates appear in the list. For more information about the templates, see Secure Access Rule Templates.

  3. Click a template name.

    The rule configuration screen appears.

    You can choose another rule template from the Rule template drop-down list. The configuration items vary with the template.

  4. Specify a unique name and a description for the rule.

    By default, the rule template name and description are displayed as the rule name and description.

  5. Set the severity of the rule as needed.
  6. Click the toggle next to Status to enable or disable the rule.

    You can also choose to enable or disable a rule on the Secure Access Rules screen after you create the rule.

  7. Select all or specific targets, that is, users or device platforms, that the rule applies to.
    Note:

    In this release, only All devices is supported.

  8. Select the periods of time that the rule applies to.

    Options include:

    • Always: The rule takes effect all the time once created and enabled.

    • Custom: Customize the time and date when the rule takes effect.

  9. Configure the Act when rule factor based on the rule template you chose.

    This determines the criteria on which users or devices hit the rule.

  10. Select an action.

    When a user or device matches the rule criteria, Trend Micro Vision One takes configured actions to control the user or device's subsequent sign-in or app access activity.

    Table 1. Actions for Users

    User Behavior

    Action

    Sign-in attempt

    Whether to allow the user to sign in to a new application or browser session or continue with a currently active application or browser session

    Options include:

    • Monitor Sign-In Attempt

    • Disable User Account

    • Force Sign Out

    • Force Password Reset

    For more information about actions, see Zero Trust Actions.

    Internal app access

    Whether to allow the user to access your organization's internal apps configured on the Trend Micro Vision One console

    Options include:

    • Block Internal App Access

    • Monitor Internal App Access

    For more information about actions, see Zero Trust Actions.

    Table 2. Actions for Devices

    Device Behavior

    Action

    Internal app access

    Whether to allow use of the device to access your organization's internal apps configured on the Trend Micro Vision One console

    Options include:

    • Block Internal App Access

    • Monitor Internal App Access

    For more information about actions, see Zero Trust Actions.

  11. Click the toggle next to Revoke actions to determine whether to automatically enable user account or allow app access (if actions Disable User Account and Block Internal App Access are enforced) when certain criteria are matched.

    By default, this option is enabled.

  12. Click Save.

    The rule is successfully created and listed on the Secure Access Rules screen.