Configuring Correlated Intelligence criteria | Trend Micro Service Central

Views:

Detect security risks and identify anomalies by correlating signals across different sources.

Designed to empower you with enhanced detection capabilities against sophisticated attacks, Correlated Intelligence correlates suspicious signals from various sources to detect phishing security risks and anomalies.

Note

Correlated Intelligence is available for Inbound Protection only.

Correlated Intelligence collects signals from Virus Scan and Spam Filtering.

One key advantage of Correlated Intelligence is the capability to see and analyze signals from multiple sources to identify phishing security risks that may go unnoticed by a single security filter. This multi-source approach adds an extra layer of protection to detect potential threats.

Another highlight of Correlated Intelligence is its ability to alert you of anomalies, which shows one or multiple signals that deviate from normal behaviors. Anomalies may not necessarily indicate a security risk, but are unusual enough to warrant attention. With this feature, you can have a more comprehensive view of your security landscape.

Correlated Intelligence operates by first gathering detection signals from various security criteria and then matching the signals against the predefined correlation rules. The aim of this process is to identify any matches that could indicate a phishing security risk or anomaly, providing a more thorough and nuanced analysis of potential security threats.

Trend Micro Email Security comes with a set of predefined correlation rules and detection signals to detect Trend Micro specified security risks and anomalies. To view details about the predefined correlation rules, detection signals, and their targeted threat types of anomalies, go to the Administration → Policy Objects → Correlation Rules and Detection Signals screen. You can also define custom correlation rules and detection signals that are unique and critical to your environment, and then add them to Correlated Intelligence policy rules. This provides you with flexibility of configuring Correlated Intelligence policy that meet your actual needs.

Procedure

Click Scanning Criteria.

Specify security risk detection settings.

Select the Security risks check box to enable phishing detection by Correlated Intelligence.

Security risks are high-confidence detections by Correlated Intelligence. These are usually sophisticated attacks that are difficult to detect with a single protection layer. Correlated Intelligence combines signals from various sources to identify advanced attacks designed to bypass traditional, layer-by-layer defenses.

Select the check box to submit suspicious files to Virtual Analyzer to perform further observation and analysis on these files, and select the security level from the drop-down list to take configured actions based on Virtual Analyzer’s scan results.

Whether a file is suspicious is determined by Correlated Intelligence based on its scan results.

Virtual Analyzer performs observation and analysis on samples in a closed environment. It takes 3 minutes on average to analyze and identify the risk of a file, and the time could be as long as 30 minutes for some files.

Note

When an eligible file is contained in another file, such as included in an archive file or embedded in a file, Trend Micro Email Security extracts the file and submits it to Virtual Analyzer.
There is a submission quota limiting the number of files that can be sent to Virtual Analyzer within 24 hours. The quota is calculated based on a 24-hour sliding window as follows:

File submission quota = Seat count * 0.1

For example, if you have 1,000 seats, a total of 100 files can be submitted to Virtual Analyzer for analysis within 24 hours. The default quota will be 5 if your seat count is less than 50. Note that the submission quota mentioned here is subject to change without notice.

In addition, the following cases will not be taken into account for quota measurement:
- Samples hit the local or cloud cache.
- Samples are in unsupported file format.
- Other unexpected scan exceptions.
Once the quota is used up, no more files can be sent to Virtual Analyzer. Nevertheless, the quota will be restored as the 24-hour sliding window moves forward.

You can configure scan exception actions for the file submissions over quota. For details, see Configuring "scan exceptions" actions.

Under the Specify anomaly settings area, select the Pre-defined anomalies check box to enable the detection of Trend Micro specified anomalies, such as Suspicious Email or Possibly Unwanted Email, by predefined correlation rules.

Important

Anomaly detection by Correlated Intelligence correlation rules may not always indicate malicious activity; they align with certain suspicious signals and can vary in effectiveness and expectation. We recommend initially setting actions to Tag subject or Insert stamp in body to monitor outcomes before applying stronger actions. You can also create custom correlation rules and add them in the Custom Correlated Intelligence section to better fit your environment.

Determine to enforce all or partial predefined correlation rules to detect Trend Micro specified anomalies of different threat types.
- All pre-defined rules
  This option is automatically selected when you select Pre-defined anomalies.
  
  Trend Micro classifies its predefined correlation rules for anomaly detection into three aggressive levels: Moderate, Aggressive, and Extra aggressive. For details about these correlation rules and what scenarios that correlation rules of each aggressive level are suitable for, see Managing correlation rules and detection signals.
  1. Select the threat type of Trend Micro specified anomalies that you want to detect using each aggressive level of correlation rules.
  2. Click the digit next to each aggressive level to view the associated predefined correlation rules in the Correlation Rules and Detection Signals screen under Administration.
    
    You can also enable or disable the predefined correlation rules in the screen.
- Specified pre-defined rules
  Select and add one or multiple predefined correlation rules.
  
  Note
  
  Disabled correlation rules can be selected but do not apply during scanning.
Select the Custom Correlated Intelligence check box to enable anomaly detection by custom correlation rules that you have created for your environment.
Select and add one or multiple custom correlation rules.

Note

Disabled correlation rules can be selected but do not apply during scanning.

Clicking the digit next to Custom Correlated Intelligence opens the Correlation Rules and Detection Signals screen under Administration, where you can view all the existing correlation rules and add new correlation rules.