Apply tags to identify and group events

Workload Security enables you to create tags that you can use to identify and sort events. For example, you might use tags to separate events that are benign from those that require further investigation. You can use tags to create customized dashboards and reports.

Although you can use event tagging for a variety of purposes, it was designed to ease the burden of event management. After you have analyzed an event and determined that it is benign, you can look through the event logs of the computer (and any other similarly configured and tasked computers) to find similar events and apply the same label to them, eliminating the need to analyze each event individually.

To view tags that are currently in use, go to Policies > Common Objects > Other > Tags.

Tags do not alter the data in the events themselves, nor do they allow users to delete events. They are simply extra attributes provided by Workload Security.

You can perform tagging as follows:

• Manual tagging lets you tag specific events as needed.
• Auto-tagging lets you use an existing event as the model for auto-tagging similar events on the same or other computers. You define the parameters for similarity by selecting which event attributes have to match the model event attributes for a tag to be applied.
• Trusted source tagging lets you auto-tag Integrity Monitoring events based on their similarity to known-good events from a trusted source.

An important difference between standard tagging and trusted source tagging is that Run on Existing Events Now can only be done with standard event tagging

Manual tagging

1. Go to Events & Reports > Events and select an event list. Right-click the event (or select multiple events and right-click) and select Add Tag(s).
2. Type a name for the tag. Workload Security suggests matching names of existing tags as you type.
3. Select The Selected [Event Type] Event. Click Next.
4. Enter some optional comments and click Finish.

In the events list, you can see your tag in the TAG(S) column.

Auto-tagging

Auto-tagging is no longer available for new users. Existing users who currently use auto-tagging may continue to do so.

Workload Security enables you to define rules that apply the same tag to similar events automatically. To view existing saved auto-tagging rules, click Auto-Tagging in the menu bar on any Events page. You can run saved rules manually from this page.

1. Go to Events & Reports > Events and select an event list. Right-click a representative event and select Add Tag(s).
2. Type a name for the tag. Workload Security suggests matching names of existing tags as you type.
3. Select Apply to selected and similar [Event Type] Events and click Next.
4. Select the computers where you want to auto-tag events and click Next. When applying tags to system events, this page is skipped.
5. Select which attributes will be examined to determine whether events are similar. For the most part, the attribute options are the same as the information displayed in the columns of the Events list pages. When you have selected which attributes to include in the event selection process, click Next.
6. On the next page, specify when events should be tagged. If you select Existing [Event Type] Events, you can select Apply Auto-Tag Rule now to apply the auto-tagging rule immediately, or Apply Auto-Tag Rule in the background to have it run in the background at a lower priority. Select Future [Event Type] Events to apply the auto-tagging rule to events that will happen in the future. You can also save the auto-tagging rule by selecting Save Auto-Tag Rule and optionally entering a name. Click Next.
7. Review the summary of your auto-tagging rule and click Finish.

In the events list, you can see that your original event and all similar events have been tagged

Event tagging only occurs after events have been retrieved from the agents to the Workload Security database.

Set the precedence for an auto-tagging rule

Once an auto-tagging rule is created, you can assign it a Precedence value. If the auto-tagging rule has been configured to run on future events, the rule's precedence determines the order in which all auto-tagging rules are applied to incoming events. For example, you can have a rule with a precedence value of 1 that tags all User Signed In events as suspicious, and a rule with a precedence value of 2 that removes the suspicious tag from all User Signed In events where the target (user) is you. This results in a suspicious tag being applied to all future User Signed In events where the user is not you.

1. In an events list, click Auto-Tagging to display a list of saved auto-tagging rules.
2. Right-click an auto-tagging rule and select Details.
3. In the General tab, select a Precedence for the rule.

Auto-tagging log inspection events

Log inspection events are auto-tagged based upon their grouping in the log file structure. This simplifies and automates the processing of log inspection events within Workload Security. You can use auto-tagging to automatically apply tags for the log inspection groups. Log inspection rules have groups associated with them in the rules. For example:

<rule id="18126" level="3">
<if_sid>18101</if_sid>
<id>^20158</id>
<description>Remote access login success</description>
<group>authentication_success,</group>
</rule>

<rule id="18127" level="8">
<if_sid>18104</if_sid>
<id>^646|^647</id>
<description>Computer account changed/deleted</description>
<group>account_changed,</group>
</rule>

Each group name has a friendly name string associated with it. In the preceding example, authentication_success would be Authentication Success, account_changed would be Account Changed. When this property is selected, the friendly names are automatically added as a tag for that event. If multiple rules trigger, multiple tags are attached to the event.

Trusted source tagging

Trusted source event tagging can only be used with events generated by the Integrity Monitoring protection module.

If you subscribed on or after July 12, 2021 and are using version 20.0.0-2593 or later agents, the Trusted Common Baseline is no longer available. If you subscribed before July 12, 2021, the button is available until January 1, 2022. Events that were tagged prior to July 12, 2021 maintain their tags, but new Integrity Monitoring events need to be tagged using other methods. For more information, see Removal of the Trusted Common Baseline option from Integrity Monitoring Auto-Tag Rules of Trend Cloud One - Endpoint & Workload Security.

The Integrity Monitoring module allows you to monitor system components and associated attributes on a computer for changes. Changes include creation and deletion as well as edits. Among the components that you can monitor for changes are files, directories, groups, installed software, listening port numbers, processes, registry keys, and so on.

Trusted source event tagging is designed to reduce the number of events that need to be analyzed by automatically identifying events associated with authorized changes.

In addition to auto-tagging similar events, the Integrity Monitoring module allows you to tag events based on their similarity to events and data found on Trusted Sources. A trusted source can be:

• A local trusted computer,
• The Trend Micro Certified Safe Software Service
• A trusted common baseline, which is a set of file states collected from a group of computers.

Local trusted computer

A trusted computer is a computer that is used as a model computer that you know to only generate benign or harmless events. A target computer is a computer that you are monitoring for unauthorized or unexpected changes. The auto-tagging rule examines events on target computers and compares them to events from the trusted computer. If any events match, they are tagged with the tag defined in the auto-tagging rule.

You can establish auto-tagging rules that compare events on protected computers to events on a trusted computer. For example, a planned rollout of a patch can be applied to the trusted computer. The events associated with the application of the patch can be tagged as Patch X. Similar events raised on other systems can be auto-tagged and identified as acceptable changes and filtered out to reduce the number of events that need to be evaluated.

How does Workload Security determine whether an event on a target computer matches an event on a trusted source computer?

Integrity monitoring events contain information about transitions from one state to another. In other words, events contain before and after information. When comparing events, the auto-tagging engine looks for matching before and after states; if the two events share the same before and after states, the events are judged to be a match and a tag is applied to the second event. This also applies to creation and deletion events.

Remember that when using a trusted computer for trusted source event tagging, the events being tagged are events generated by Integrity Monitoring rules. This means that the Integrity Monitoring rules that are generating events on the target computer must also be running on the trusted source computer.

Trusted source computers must be scanned for malware before applying trusted source event tagging.

Utilities that regularly make modifications to the content of files on a system (prelinking on Linux, for example) can interfere with trusted source event tagging.

Tag events based on a local trusted computer

1. Make sure the trusted computer is free of malware by running a full anti-malware scan.
2. Make sure the computers on which you want to auto-tag events are running the same (or some of the same) Integrity Monitoring rules as the trusted source computer.
3. In the Workload Security console, go to Events & Reports > Integrity Monitoring Events and click Auto-Tagging in the toolbar.
4. In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source to display the Tag Wizard.
5. Select Local Trusted Computer and click Next.
6. From the list, select the computer that will be the trusted source and click Next.

7. Specify one or more tags to apply to events on target computers when they match events on this trusted source computer. Click Next.

   You can enter the text for a new tag or select from a list of existing tags.

8. Identify the target computers whose events will be matched to those of the trusted source. Click Next.

9. Optionally, give the rule a name and click Finish.

Tag events based on the Trend Micro Certified Safe Software Service

The Certified Safe Software Service is a list of known-good file signatures maintained by Trend Micro. This type of trusted source tagging will monitor target computers for file-related Integrity Monitoring events. When an event has been recorded, the file's signature (after the change) is compared to Trend Micro's list of known good file signatures. If a match is found, the event is tagged.

1. In the Workload Security console, go to Events & Reports > Integrity Monitoring Events and click Auto-Tagging in the toolbar.
2. In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source to display the Tag Wizard.
3. Select Certified Safe Software Service and click Next.
4. Specify one or more tags to apply to events on target computers when they match the Certified Safe Software Service. Click Next.
5. Identify the target computers whose events will be matched to the Certified Safe Software Service. Click Next.
6. Optionally, give the rule a name and click Finish.

Tag events based on a trusted common baseline

The trusted common baseline method compares events within a group of computers. A group of computers is identified and a common baseline is generated based on the files and system states targeted by the Integrity Monitoring rules in effect on the computers in the group. When an Integrity Monitoring event occurs on a computer within the group, the signature of the file after the change is compared to the common baseline. If the file's new signature has a match elsewhere in the common baseline, a tag is applied to the event. In trusted computer method, the before and after states of an Integrity Monitoring event are compared, but in the trusted common baseline method, only the after state is compared.

This method relies on all the computers in the common group being secure and free of malware. A full anti-malware scan should be run on all the computers in the group before the common baseline is generated.

When an Integrity Monitoring baseline is generated for a computer, Workload Security first checks if that computer is part of a trusted common baseline group. If it is, it includes the computer's baseline data in the trusted common baseline for that group. For this reason, the trusted common baseline auto-tagging rule must be in place before any Integrity Monitoring rules have been applied to the computers in the common baseline group.

1. Make sure all the computers added to the group that makes up the trusted common baseline are free of malware by running a full anti-malware scan on them.
2. In the Workload Security console, go to Events & Reports > Integrity Monitoring Events and click Auto-Tagging in the toolbar.
3. In the Auto-Tag Rules (Integrity Monitoring Events) window, click New Trusted Source to display the Tag Wizard.
4. Select Trusted Common Baseline and click Next.
5. Specify one or more tags to apply to events when they have a match in the trusted common baseline and click Next.
6. Identify the computers to include in the group used to generate the trusted common baseline. Click Next.
7. Optionally, give this rule a name and click Finish.

Delete a tag

1. In an events list, right-click the events with the tag you want to delete, and select Remove Tag(s).
2. Select the tag you'd like to remove. Choose to remove the tag from The Selected [Event Type] Event or to Apply to selected similar [Event Type] Events. Click Next.
3. Enter some optional comments and click Finish.