Views:

Modify a risk control rule in classic view.

When a user or device matches the criteria in a risk control rule, based on the actions configured, Trend Vision One monitors the user or device's subsequent activity and takes action when the monitored activity occurs. For example, when a user with a persistent high risk score attempts to sign in to a new browser session or access an internal app of your organization the action could be blocked.
Note
Note
Some risk control rules types can be modified in classic view. New risk control rules must be created in playbook view.

Procedure

  1. On the Secure Access Rules screen, click the Risk Control tab and then click a rule name.
  2. If the modify rule screen appears in playbook view, click Switch to Classic View.
    Note
    Note
    Classic view is not available for all risk control rule types.
  3. Select Risk Control from the Template type drop-down list.
    The available templates appear in the list. For more information about the templates, see Secure access rule templates.
  4. Click a template name.
    The rule configuration screen appears.
    You can choose another rule template from the Rule template drop-down list. The configuration items vary with the template.
  5. Specify a unique name and a description for the rule.
  6. (Optional) To enable or disable the rule, click the toggle next to Status.
    Tip
    Tip
    You can also enable or disable rules on the Secure Access Rules tab.
  7. Configure the following rule factors.

    Actions

    Rule Factor
    Description
    Options
    Risk Events
    The risky behavior or action that triggers the rule
    Select from the list of risky events predefined by Trend Micro.
    Note
    Note
    This rule factor may or may not appear depending on the rule template.
    Risk Score
    The user risk score that triggers the rule
    Select a minimum risk score or a range, and then select the time period.
    Note
    Note
    This rule factor may or may not appear depending on the rule template.
    Source (for user-targeted rules)
    The user/groups that the rule applies to
    User/user groups
    Specify users and groups from your IAM system.
    Note
    Note
    If you have configured more than one IAM system, the IAM system with SSO enabled applies.
    Source (for device-targeted rules)
    The devices that the rule applies to
    Select all or specific targets, that is, device platforms that the rule applies to.
    Note
    Note
    Currently, only All devices is supported.
    Schedule
    The weekly period that the rule is applied
    To configure the recurrence of the schedule, select Only apply the rule during the specified period, and then select a start date and end date.
    Note
    Note
    The schedule uses the defined time zone of the console.
    Action (for user-targeted rules)
    The action taken on user account when the rule is triggered
    Access control
    When a user or device matches the rule criteria, Trend Vision One takes configured actions to control the user or device's subsequent sign-in or app access activity.
    For more information about actions, see Zero Trust actions.
    • Sign-in attempt: Control user access by monitoring sign-in attempts, disabling user accounts, or forcing sign out and password reset
    • Private access: Block or monitor user access to your organization's internal apps configured on the Trend Vision One console
    • Internet access: Block or monitor user access to cloud apps and external URLs on the internet
    Revoke actions
    Click the toggle next to Revoke actions to revoke the following actions when certain criteria are matched.
    • Disable User Account
    • Block Internal App Access
    • Block Cloud App/URL Access
    By default, this option is enabled.
    Action (for device-targeted rules)
    The action taken on device when the rule is triggered
    Access control
    • Isolate Endpoint: Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product
      Important
      Important
      The Zero Trust Secure Access app sends the command to the Response Management app to take the action. Make sure that at least one of the following supported agents is installed on your devices: Trend Vision One, Apex One as a Service, Trend Cloud One - Endpoint & Workload Security. For more information, see Response actions.
    • Private access: Block or monitor device access to your organization's internal apps configured on the Trend Vision One console
    • Internet access: Block or monitor device access to cloud apps and external URLs on the internet
    Revoke actions
    Click the toggle next to Revoke actions to revoke the following actions when certain criteria are matched.
    • Isolate Endpoint
    • Block Internal App Access
    • Block Cloud App/URL Access
  8. Click Save.
    The rule is successfully created and listed on the Secure Access Rules screen.