Views:

Configure Correlated Intelligence scanning criteria to detect security risks and anomalies using predefined and custom correlation rules.

Correlated Intelligence correlates suspicious signals from Virus Scan and Spam Filtering to detect security risks and anomalies that may go unnoticed by a single security filter.
Note
Note
  • Correlated Intelligence is only available after your TrendAI™ Email Security is updated to Cloud Email Gateway Protection in TrendAI Vision One™.
  • Correlated Intelligence is available for Inbound Protection only.
To view and manage predefined and custom correlation rules and detection signals, go to AdministrationPolicy ObjectsCorrelation Rules and Detection Signals. For details, see Manage correlation rules and detection signals.

Procedure

  1. Click Scanning Criteria.
  2. Configure security risk detection settings.
    Security risks are high-confidence detections by Correlated Intelligence. Security risks are usually sophisticated attacks that are difficult to detect with a single protection layer.
    1. Select the Phishing and/or Spam check box to enable phishing or spam detection by Correlated Intelligence.
    2. Optionally, select the check box to submit suspicious files to Virtual Analyzer for further observation and analysis.
      Virtual Analyzer performs observation and analysis on samples in a closed environment. Analysis takes 3 minutes on average to identify the risk of a file, and can take up to 30 minutes for some files.
      Actions configured for Virtual Analyzer scan exception and Virtual Analyzer submission quota exception under Virus Scan also apply to Correlated Intelligence policy.
      Note
      Note
      There is a submission quota limiting the number of files that can be sent to Virtual Analyzer within 24 hours. The quota is calculated based on a 24-hour sliding window.
      • File submission quota = Seat count * 0.1
      • The default quota will be 5 if your seat count is less than 50.
      • Once the quota is used up, no more files can be sent to Virtual Analyzer until the sliding window moves forward.
      You can configure scan exception actions for the file submissions over quota. For details, see Configure "scan exceptions" actions.
  3. Configure anomaly detection settings.
    Important
    Important
    Anomaly detections may not always indicate malicious activity. We recommend initially setting actions to Tag subject or Insert stamp in body to monitor outcomes before applying stronger actions.
    1. Select Pre-defined anomalies to detect TrendAI™ specified anomalies using predefined correlation rules.
      Choose All pre-defined rules to enforce all existing and future rules, or Specified pre-defined rules to select individual rules. Predefined rules are classified into three aggressive levels: Moderate, Aggressive, and Extra aggressive. For details, see Manage correlation rules and detection signals.
    2. Optionally, select Custom Correlated Intelligence to enable anomaly detection using custom correlation rules you have created for your environment.
  4. Click Submit.
    Ensure the policy rule has the appropriate priority in your policy list. Correlated Intelligence policy rules are evaluated in order from top to bottom.