Configuring a Correlated Intelligence Rule

Procedure

1. Go to Policies → Policy Management.
2. Click the Correlated Intelligence Rules tab.
3. Do one of the following:
   • Click Add to create a new rule.
   • Click a rule name to change the settings.
4. Type a rule name.
5. On the Security Risks tab, configure security risk detection settings.
6. Click Anomalies and configure the anomaly detection settings.

   Important Anomaly detections may not always indicate malicious activity. We recommend initially setting actions to Pass and tag or Insert stamp in body to monitor outcomes before applying stronger actions.

   The following are the currently supported threat types of TrendAI™ specified anomalies:

   • Suspicious Email
   • Possibly Unwanted Email

   Anomalies are classified into the following aggressive levels:

   • Moderate: This level is designed to seek a balance between effective anomaly detection and maintaining a relatively low rate of false positives. It is suitable for everyday monitoring and for customers who prefer a safer approach without significant disruptions to their regular email flow.
   • Aggressive: This level increases the sensitivity of anomaly detection and offers a more robust detection capability, which may result in a higher number of false positives. It is tailored for customers who require more stringent security measures to combat sophisticated attacks and are willing to accept some trade-offs in false alerts.
   • Extra Aggressive: This highest level of aggression is recommended for critical situations, such as during an active attack or after a security breach has been identified. It provides the most aggressive form of prevention but may significantly impact normal email communication due to the high likelihood of false positives.
7. Click Save.
   After adding a rule, you can:

   • Click a rule name to edit the rule settings.
   • Select a rule and click Delete to remove the selected rule.