Event Rule Management | Trend Micro Service Central

Views:

View and manage event rules for risk events marked as Dismissed or Accepted.

The Event Rule Management screen provides a centralized location to view and manage event rules. You may create event rules when changing the status of risk events and vulnerabilities. Statuses that support rule creation include:

Dismissed: Marking a risk event as Dismissed and creating a related event rule prevents the reporting of future instances of the risk event, keeping them from affecting the Risk Index.
Accepted: Marking a risk event as Accepted and creating a related event rule ensures existing and future instances of the risk event are marked as Accepted for the specified time period. Events marked as Accepted still contribute to your Risk Index.

Removing an event rule enables reporting for future instances of the related risk event.

The following table outlines the actions available on the Event Rule Management screen.

Action

Description

Filter event rules

Use the drop-down menus and Search field to locate specific event rules.

Group by: Group event rules by the original Risk event or by Assets
Risk factor: Filter event rules by the risk factor of the original risk event

The Risk factor drop-down menu is only available when viewing event rules grouped by Risk event.
Impacted assets: Filter event rules by the type of asset impacted by the original risk event

The Impacted assets drop-down menu is only available when viewing event rules grouped by Risk event.
Asset type: Filter event rules by the type of asset

The Asset type drop-down menu is only available when viewing event rules grouped by Assets.
Status: Filter event rules by whether the rules are currently active, expired, or planned

The Status drop-down menu is only available for rules in the Accepted event rules tab.
Created by: Sort filter event rules by the Trend Vision One user that created the event rule.
Search: Provides partial matching by risk event when grouping by Risk event or by asset when grouping by Assets.

View information about event rules

Click any risk event or asset to view a list of related event rules

When grouping by Risk event, clicking a risk event displays a list of the event rules related the selected risk event.
When grouping by Assets, clicking an asset displays a list of the event rules related to the selected asset.

To remove event rules, select the event rules and then click Remove Event Rules.

To change the status of an active or planned accepted event rule, click the time period field and enter a new applicable time period.

To activate an expired accepted event rule, select the rule and click Activate Event Rules. Set a new applicable time period and description and then click Activate.

Manage event rule parameters

Click on an active supported event rule type to add or remove rule parameters. Event rules with set parameters only apply when the parameters are met. Risk event instances that do not meet rule parameters are still reported, which impacts your Risk Index.

The following table details the risk event types that currently support parameters along with the supported parameter content.

Risk event type	Risk factor	Supported parameter content
Potential Impersonation Attempt - Impossible Travel	Account compromise	IPv4 addresses and ranges
Potential Impersonation Attempt - Atypical Travel	Account Compromise	IPv4 addresses and ranges
Potential Brute Force Attack Via Okta - Password Spraying	Account compromise	IPv4 addresses and ranges
Unusual Device Access from IP Addresses	Activity and behaviors	IPv4 addresses and ranges
Unusual Internal IP Connection	Activity and behaviors	IPv4 addresses and ranges
Unusual User Access Day	Activity and behaviors	Days of the week
Risky Cloud App Access	Cloud app activity	Apps
Risky Mobile App Access	Cloud app activity	Apps
Network Sensor - Security Risk Detection	Threat detection	Rules
Trend Cloud One - Endpoint & Workload Security - Security Risk Detection	Threat detection	Rules
Trend Vision One Container Security - Security Risk Detection	Threat detection	Rules
Network Sensor - Activity and Behavior Detection	Threat detection	Rules

View assets affected by an event rule

When grouping by Risk event, clicking the number of impacted assets for a risk event displays a list of assets affected by the event rule

Remove event rules

Select event rules and click Remove Event Rules to remove the event rule and enable reporting for future instances of the related risk events