Configuring Correlated Intelligence criteria | Trend Micro Service Central

Views:

Detect security risks and identify anomalies by correlating signals across different sources.

Designed to empower you with enhanced detection capabilities against sophisticated attacks, Correlated Intelligence correlates suspicious signals from various sources to detect phishing security risks and anomalies.

Note

Correlated Intelligence is available for Inbound Protection only.

Correlated Intelligence collects signals from Virus Scan and Spam Filtering.

One key advantage of Correlated Intelligence is the capability to see and analyze signals from multiple sources to identify phishing security risks that may go unnoticed by a single security filter. This multi-source approach adds an extra layer of protection to detect potential threats.

Another highlight of Correlated Intelligence is its ability to alert you of anomalies, which shows one or multiple signals that deviate from normal behaviors. Anomalies may not necessarily indicate a security risk, but are unusual enough to warrant attention. With this feature, you can have a more comprehensive view of your security landscape.

Correlated Intelligence operates by first gathering detection signals from various security criteria and then matching the signals against the predefined correlation rules. The aim of this process is to identify any matches that could indicate a phishing security risk or anomaly, providing a more thorough and nuanced analysis of potential security threats.

Cloud Email Gateway Protection comes with a set of predefined correlation rules and detection signals to detect Trend Micro specified security risks and anomalies. To view details about the predefined correlation rules, detection signals, and their targeted threat types of anomalies, go to the Administration → Policy Objects → Correlation Rules and Detection Signals screen. You can also define custom correlation rules that are unique and critical to your environment, and then add them to Correlated Intelligence policy rules. This provides you with flexibility of configuring Correlated Intelligence policy that meet your actual needs.

Procedure

Click Scanning Criteria.
Under the Specify security risk settings area, select the Security risks check box to enable phishing detection by Correlated Intelligence.

Security risks are high-confidence detections by Correlated Intelligence. These are usually sophisticated attacks that are difficult to detect with a single protection layer. Correlated Intelligence combines signals from various sources to identify advanced attacks designed to bypass traditional, layer-by-layer defenses.

Under the Specify anomaly settings area, select the Pre-defined anomalies check box to enable the detection of Trend Micro specified anomalies, such as Suspicious Email or Possibly Unwanted Email, by predefined correlation rules.

Important

Anomaly detection by Correlated Intelligence correlation rules may not always indicate malicious activity; they align with certain suspicious signals and can vary in effectiveness and expectation. We recommend initially setting actions to Tag subject or Insert stamp in body to monitor outcomes before applying stronger actions. You can also create custom correlation rules and add them in the Custom Correlated Intelligence section to better fit your environment.

Determine to enforce all or partial predefined correlation rules to detect Trend Micro specified anomalies of different threat types.
- All pre-defined rules
  This option is automatically selected when you select Pre-defined anomalies.
  
  Trend Micro classifies its predefined correlation rules for anomaly detection into three aggressive levels: Moderate, Aggressive, and Extra aggressive. For details about these correlation rules and what scenarios that correlation rules of each aggressive level are suitable for, see Managing correlation rules and detection signals.
  1. Select the threat type of Trend Micro specified anomalies that you want to detect using each aggressive level of correlation rules.
  2. Click the digit next to each aggressive level to view the associated predefined correlation rules in the Correlation Rules and Detection Signals screen under Administration.
    
    You can also enable or disable the predefined correlation rules in the screen.
- Specified pre-defined rules
  Select and add one or multiple predefined correlation rules.
  
  Note
  
  Disabled correlation rules can be selected but do not apply during scanning.
Select the Custom Correlated Intelligence check box to enable anomaly detection by custom correlation rules that you have created for your environment.
Select and add one or multiple custom correlation rules.

Note

Disabled correlation rules can be selected but do not apply during scanning.

Clicking the digit next to Custom Correlated Intelligence opens the Correlation Rules and Detection Signals screen under Administration, where you can view all the existing correlation rules and add new correlation rules.