Event Tagging

Vulnerability ProtectionDeep Security enables you to create tags that you can use to identify and sort events. For example, you might use tags to separate events that are benign from those that require further investigation. You can use tags to create customized dashboards and reports.

Although you can use event tagging for a variety of purposes, it was designed to ease the burden of event management. After you have analyzed an event and determined that it is benign, you can look through the Event logs of the computer (and any other similarly configured and tasked computers) to find similar events and apply the same label to them, eliminating the need to analyze each event individually.

Tags do not alter the data in the events themselves, nor do they allow users to delete events. They are simply extra attributes provided by the Manager.

These are the ways that you can perform tagging:

An important difference between standard tagging and Trusted Source tagging is that "Run on Existing Events Now" can only be done with standard event tagging.

Manual Tagging

To manually tag an event:

  1. In the Events list, right-click the event (or select multiple events and right-click) and select Add Tag(s)....
  2. Type a name for the tag. (Vulnerability ProtectionDeep Security Manager will suggest matching names of existing tags as you type.)
  3. Select The Selected [Event Type] Event. Click Next.
  4. Enter some optional comments and click Finish.

Looking at the Events list, you can see that the event has now been tagged.

Auto-Tagging

Vulnerability ProtectionDeep Security Manager enables you to define rules that apply the same tag to similar events automatically. To view existing saved auto-tagging rules, click Auto-Tagging... in the menu bar on any Events page. You can run saved rules manually from this page.

To create an auto-tagging rule:

  1. In the Events list, right-click a representative event and select Add tag(s)....
  2. Type a name for the tag. (Vulnerability ProtectionDeep Security Manager will suggest matching names of existing tags as you type.)
  3. Select Apply to selected and similar [Event Type] Events and click Next.
  4. Select the computers where you want to auto-tag events and click Next.
  5. Select which attributes will be examined to determine whether events are similar. For the most part, the attribute options are the same as the information displayed in the columns of the Events list pages (Source IP, Reason, Severity, etc.). When you have selected which attributes to include in the event selection process, click Next.
  6. On the next page, specify when events should be tagged. If you select Existing [Event Type] Events, you can choose whether to apply the auto-tagging rule immediately, or have it run in the background at a lower priority. Select Future [Event Type] Events to apply the auto-tagging rule to events that will happen in the future. You can also save the auto-tagging rule. You can access saved rules later by clicking Auto-Tagging... in the menu bar of the Events page. Click Next.
  7. Review the summary of your auto-tagging rule and click Finish.

Looking at the Events list, you can see that your original event and all similar events have been tagged.

Event tagging only occurs after events have been retrieved from the Agents/Appliances to the Vulnerability ProtectionDeep Security Manager's database.

Once an auto-tagging Rule is created, you can assign it a Precedence value. If the auto-tagging rule has been configured to run on future events, the rule's precedence determines the order in which all auto-tagging rules are applied to incoming events. For example, you can have a rule with a precedence value of "1" that tags all "User Signed In" events as "suspicious", and a rule with a precedence value of "2" that removes the "suspicious" tag from all "User Signed In" events where the Target (User) is you. The precedence "1" rule will run first and apply the "suspicious" tag to all "User Signed In" events. The precedence "2" rule will run afterwards and remove the "suspicious" tag from all "User Signed In" events where the User was you. This will result in a "suspicious" tag being applied to all future "User Signed In" events where the User is not you.

To set the precedence for an auto-tagging rule:

  1. In the Events list, click Auto-Tagging... to display a list of saved auto-tagging rules.
  2. Right-click an auto-tagging rule and select View.
  3. Select a Precedence for the rule.

Trusted Source Tagging

Trusted Source Event Tagging can only be used with events generated by the Integrity Monitoring protection module.

The Integrity Monitoring module allows you to monitor system components and associated attributes on a computer for changes. ("Changes" include creation and deletion as well as edits.) Among the components that you can monitor for changes are files, directories, groups, installed software, listening ports, processes, registry keys, and so on.

Trusted Source Event Tagging is designed to reduce the number of events that need to be analyzed by automatically identifying events associated with authorized changes.

In addition to auto-tagging similar events, the Integrity Monitoring module allows you to tag events based on their similarity to events and data found on Trusted Sources. A Trusted Source can be either:

  1. A Local Trusted Computer,
  2. The Trend Micro Certified Safe Software Service, or
  3. A Trusted Common Baseline, which is a set of file states collected from a group of computers.

Local Trusted Computer

A Trusted Computer is a computer that will be used as a "model" computer that you know will only generate benign or harmless events. A "target" computer is a computer that you are monitoring for unauthorized or unexpected changes. The auto-tagging rule examines events on target computers and compares them to events from the trusted computer. If any events match, they are tagged with the tag defined in the auto-tagging rule.

You can establish auto-tagging rules that compare events on protected computers to events on a Trusted Computer. For example, a planned rollout of a patch can be applied to the Trusted Computer. The events associated with the application of the patch can be tagged as "Patch X". Similar events raised on other systems can be auto-tagged and identified as acceptable changes and filtered out to reduce the number of events that need to be evaluated.

How does Vulnerability ProtectionDeep Security determine whether an event on a target computer matches an event on a Trusted Source computer?

Integrity Monitoring events contain information about transitions from one state to another. In other words, events contain before and after information. When comparing events, the auto-tagging engine will look for matching before and after states; if the two events share the same before and after states, the events are judged to be a match and a tag is applied to the second event. This also applies to creation and deletion events.

Remember that when using a Trusted Computer for Trusted Source Event Tagging, the events being tagged are events generated by Vulnerability ProtectionDeep Security Integrity Monitoring Rules. This means that the Integrity Monitoring Rules that are generating events on the target computer must also be running on the Trusted Source computer.
Trusted Source computers must be scanned first.
Utilities that regularly make modifications to the content of files on a system (prelinking on Linux, for example) can interfere with Trusted Source Event Tagging.

To tag events based on a Local Trusted Computer:

  1. Make sure the Trusted Computer is free of malware by running a full Anti-Malware scan.
  2. Make sure the computer(s) on which you want to auto-tag events are running the same (or some of the same) Integrity Monitoring Rules as the Trusted Source Computer.
  3. In Vulnerability ProtectionDeep Security Manager, go to Events & Reports > Integrity Monitoring Events and click Auto-Tagging... in the toolbar.
  4. In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source... to display the Tag Wizard.
  5. Select Local Trusted Computer and click Next.
  6. From the drop-down list, select the computer that will be the Trusted Source and click Next.
  7. Specify one or more tags to apply to events on target computers when they match events on this Trusted Source computer. Click Next.
    You can enter the text for a new tag or select from a list of existing tags.
  8. Identify the target computers whose events will be matched to those of the Trusted Source. Click Next.
  9. Optionally, give the rule a name and click Finish.

Certified Safe Software Service

The Certified Safe Software Service is a whitelist of known-good file signatures maintained by Trend Micro. This type of Trusted Source tagging will monitor target computers for file-related Integrity Monitoring events. When an event has been recorded, the file's signature (after the change) is compared to Trend Micro's list of known good file signatures. If a match is found, the event is tagged.

To tag events based on the Trend Micro Certified Safe Software Service:

  1. In Vulnerability ProtectionDeep Security Manager, go to Events & Reports > Integrity Monitoring Events and click Auto-Tagging... in the toolbar.
  2. In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source... to display the Tag Wizard.
  3. Select Certified Safe Software Service and click Next.
  4. Specify one or more tags to apply to events on target computers when they match the Certified Safe Software Service. Click Next.
  5. Identify the target computers whose events will be matched to the Certified Safe Software Service. Click Next.
  6. Optionally, give the rule a name and click Finish.

Trusted Common Baseline

The Trusted Common Baseline method compares events within a group of computers. A group of computers is identified and a common baseline is generated based on the files and system states targeted by the Integrity Monitoring Rules in effect on the computers in the group. When an Integrity Monitoring event occurs on a computer within the group, the signature of the file after the change is compared to the common baseline. If the file's new signature has a match elsewhere in the common baseline, a tag is applied to the event. In Trusted Computer method, the before and after states of an Integrity Monitoring event are compared, but in the Trusted Common Baseline method, only the after state is compared.

This method relies on all the computers in the common group being secure and free of malware. A full Anti-Malware scan should be run on all the computers in the group before the common baseline is generated.
When an Integrity Monitoring baseline is generated for a computer, Vulnerability ProtectionDeep Security will first check if that computer is part of a Trusted Common baseline group. If it is, it will include the computer's baseline data in the Trusted Common Baseline for that group. For this reason, the Trusted Common Baseline Auto-Tagging Rule must be in place before any Integrity Monitoring Rules have been applied to the computers in the common baseline group.

To tag events based on a Trusted Common Baseline:

  1. Make sure all the computers that will be in the group that will make up the Trusted Common Baseline are free of malware by running a full Anti-Malware scan on them.
  2. In Vulnerability ProtectionDeep Security Manager, go to Events & Reports > Integrity Monitoring Events and click Auto-Tagging... in the toolbar.
  3. In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source... to display the Tag Wizard.
  4. Select Trusted Common Baseline and click Next.
  5. Specify one or more tags to apply to events when they have a match in the Trusted Common Baseline and click Next.
  6. Identify the computers to include in the group used to generate the Trusted Common baseline. Click Next.
  7. Optionally, give this rule a name and click Finish.