Secure Access Rule Templates

Use templates to define your organization's secure access rules for users and devices.

Trend Vision One provides a set of pre-defined rule templates that correlate to different types of information you want to gather about your network environment. You can create a risk control rule from a template, fine-tune the rule to achieve expected results, and add automated actions to respond to and remediate risks automatically.

The following table describes the Risk Control rule templates.

Template Name

Description

Target

Users with a persistent high risk score

A user has maintained a high risk score range over a period of time in the past

  • User risk score: Risk score range that the user has maintained

    For more information about a user's risk score, see Asset Profile Screens.

  • Within last: Number of days for which the user has maintained within the specified risk score range

User

Devices with a persistent high risk score

A device has maintained a high risk score range over a period of time in the past

  • Device risk score: Risk score range that the device has maintained

    For more information about a device's risk score, see Asset Profile Screens.

  • Within last: Number of days for which the device has maintained within the specified risk score range

Device

Leaked accounts in discovered users

A user's email account is detected to have had anomalous activity, such as: suspicious phishing attachment in email from new sender, possible forge sender with urgent intention

User

Leaked accounts on discovered devices

A user's personally identifiable information (such as bank account, full name) is detected to have been leaked on the surface, deep, or dark web

Device

Suspicious activity in discovered users

A user's account displays unusual activity, such as possible forged sender with urgent intention, possible brute force attack.

User

At-risk accounts in discovered users

A user's account has been targeted by malicious email campaigns, such as possible spear phishing attack on high-profile users via link.

User

Suspicious web activity in discovered users

A user has been detected to visit a risky URL or have malicious activity within network traffic, such as malicious download from website.

User

Suspicious web activity on discovered devices

A user's visit to a risky URL or malicious activity within network traffic has been detected on a device, such as suspected Botnet infection.

Device

Suspicious email activity in discovered users

A user's email account has been detected to have malicious or anomalous email activity, such as company-wide email threats, data loss prevention violation in emails.

User

Workbench alerts for user-related events

A user-related event that may be malicious or indicate risk has been detected by XDR sensors and generated an alert in the Workbench app, such as ransomware lateral movement detection, possible sensitive information exfiltration.

User

Workbench alerts for device-related events

A device-related event that may be malicious or indicate risk has been detected by XDR sensors and generated an alert in the Workbench app, such as possible disabling of antivirus software, cryptocurrency mining malware.

Device

Operating system vulnerabilities on discovered devices

An endpoint has been detected to have exploitable operating system vulnerabilities.

Device

Application vulnerabilities on discovered devices

An endpoint has been detected to have exploitable application vulnerabilities.

Device
Parent topic: Modifying a Risk Control Rule in Classic View