Views:

Manage correlation rules and detection signals that you can use for anomaly detection by Correlated Intelligence.

Trend Micro defines a set of correlation rules and detection signals, and continually introduces new rules and signals. Each predefined correlation rule consists of one or multiple predefined detection signals.
You can also add custom correlation rules to accommodate detection requirements in your environment.
The following table outlines the available actions on the Correlation Rules tab of the Correlation Rules and Detection Signals screen.

The Correlation Rules Tab

Action
Description
Enable or disable a correlation rule
On the Correlation Rules tab, click the Enable or Disable icon in the Status column of a correlation rule.
The configurations apply to anomaly detection in all Correlated Intelligence policy rules.
View predefined correlation rule details
View the targeted threat type and aggressive level of a predefined correlation rule.
  • Targeted threat type: The currently supported threat types of Trend Micro specified anomalies include Suspicious Email and Possibly Unwanted Email.
  • Aggressive level: Trend Micro classifies its predefined correlation rules for anomaly detection into three aggressive levels.
    • Moderate: This level is designed to seek a balance between effective anomaly detection and maintaining a relatively low rate of false positives. It is suitable for everyday monitoring and for customers who prefer a safer approach without significant disruptions to their regular email flow.
    • Aggressive: This level increases the sensitivity of anomaly detection and offers a more robust detection capability, which may result in a higher number of false positives. It is tailored for customers who require more stringent security measures to combat sophisticated attacks and are willing to accept some trade-offs in false alerts.
    • Extra Aggressive: This highest level of aggression is recommended for critical situations, such as during an active attack or after a security breach has been identified. It provides the most aggressive form of prevention but may significantly impact normal email communication due to the high likelihood of false positives.
Add a custom correlation rule
Select one or multiple predefined detection signals to define a custom correlation rule. For details, see Adding a custom correlation rule.
Edit a custom correlation rule
Click the name of a custom correlation rule, and then modify the basic properties and statement definition of the rule.
View detection signals comprising a correlation rule
Click the name of a correlation rule to open the rule detail screen and understand what the rule is about, what detection signals are used, and how the rule is matched.
Search for correlation rules
Use the filter fields to search for desired correlation rules by rule name, status, targeted threat type, or aggressive level.
The following table outlines the available actions on the Detection Signals tab.

The Detection Signals Tab

Action
Description
View predefined detection signal details
View each detection signal defined by Trend Micro and what the signal is about.
Search for detection signals
Use the filter field to search for desired signals by signal name.
Related information