Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How Do I Create a Rule and Action in PhishER?

Updated:

Created:

Creating Rules and Actions in PhishER

See below for detailed information about how to create rules and actions in PhishER.

Jump to:
How to Create Rules in PhishER

How to Create Actions in PhishER

 

How to Create a Rule in PhishER

You can create custom rules in your PhishER platform to disposition emails forwarded to your PhishER inbox. To create your rules, you can use either the Basic Editor or Advanced Editor. All custom rules must follow Yet Another Recursive/Ridiculous Acronym (YARA) logic. YARA is a tool used to identify and classify malware samples.

To create a rule in PhishER, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to PhishER > Rules.
  3. Click the New Rule button at the top-right corner of the page. When you click the button, the Rule Details screen will open. On this page, you can create a rule using either the Basic Editor or the Advanced Editor.

To edit a Custom Rule, click on the Name or Description of the rule from the Rules List. This will open the Rule Details screen. If you would like to edit a System Rule, create a new Custom Rule. Then, copy and paste the logic of the System Rule into the rule editor of your Custom Rule.

Note: For all rule changes to be acknowledged, you must click the Apply Changes button. Then, all enabled rules will run against incoming messages. Messages received prior to your rule change(s) will not be affected.

To learn how to create a rule using the Basic Editor or the Advanced Editor, see the subsections below.

How to Create a Rule Using the Basic Editor

The Basic Editor guides you through creating a custom rule. To learn how to create a rule using the Basic Editor, see the screenshot and list below:

    1. Name: Enter a unique name for your rule. We recommend that you enter a name that reflects the intended behavior of the rule. The name cannot start with a numerical value, exceed 128 characters, or be one of these keywords.
    2. Description (optional): Enter a description of your rule. As a best practice, we recommend that you enter a brief description of the rule's intended behavior.
    3. Edit Tags: Add a custom tag that you would like to see attached to a message if the message matches this specific rule. To add a tag, follow the steps below:
      1. Click Add new tag.
      2. Enter a name for your tag.
      3. Click outside of the Add new tag field to create the tag.
    4. Choose Target: Select the part of the message you would like the rule to be applied to or run against. You may choose one of four targets from the drop-down menu. The targets include Raw, Headers, Body, or Attachments. By default, the rule will have Raw set as the target.
    5. YARA Rule Editor: Use this space to create your YARA Rule using either the Basic Editor or Advanced Editor. PhishER rules will only follow YARA Rule logic to disposition emails.
    6. Basic Editor: Click this tab to create a YARA rule using the Basic Editor. Editing a rule in the Advanced Editor will disable the Basic Editor for that rule.
    7. Create Strings: Create and define strings to use when creating your conditions. For more information about creating strings in the Basic Editor, see our How Do I Create Strings and Conditions in the Basic Editor? article.
    8. New String: Click this button to add a string to the rule. You can create up to five strings per rule.
    9. Create Conditions: Create conditions by selecting how your defined strings should relate to each other. Conditions are used to express what emails you want your rule to detect. You can select from the following options:
      • Match any of the defined strings: Select this option to detect emails that match any of your defined strings.
      • Match all of the defined strings: Select this option to detect emails that match all of your defined strings.
      • Custom conditions: Select this option to detect emails that match your custom conditions.
        See our How Do I Create Strings and Conditions in the Basic Editor? article for more information.
    10. New Condition Group: This button is only available when the Custom conditions option is selected. You can click this button to create custom conditions that emails must meet to be detected by the rule.
    11. Save Rule: Click this button to save your rule. Your rule will then appear on the Rules List under the Custom Rules tab. Although your rule is saved, you must follow the steps below for the rule to run successfully:
      1. Enable your rule by turning on the toggle under the rule's Status.
      2. Then, click on the Apply Changes button in the top-right corner of the page.
    12. Apply Rule to Inbox: Run your rule against all of the messages in the inbox. At least one message must match your rule and preview rule criteria for this option to become available.
    13. Saved Query (optional): Choose a custom Saved Query to see how the rule affects messages in that query.
    14. Last 7 days: Select a date range for the messages you would like to preview. You can choose from three date ranges in the drop-down menu. The options include Last 24 hours, Last 7 days, and Last 30 days. By default, messages that were received in the last seven (7) days will be displayed.
    15. Run Preview: Preview how your rule would affect messages in your PhishER inbox. For more information, see the How to Preview a Rule section of this article.
    16. Matched Messages: Select the type of messages you would like to preview. This field will become available after you click the Preview Rule button. You can choose from three types of messages in the drop-down menu. The options include Matched Messages, Not-Matched Messages, or All Messages. By default, all Matched Messages will be displayed.

Back to top

 

How to Create a Rule Using the Advanced Editor

The Advanced Editor allows you to write the logic of your YARA Rule without guidance. To learn how to create a rule using the Advanced Editor, see the screenshot and list below:

  1. Name: Enter a unique name for your rule. We recommend that you enter a name that reflects the intended behavior of the rule.
  2. Description (optional): Enter a description of your rule. As a best practice, we recommend that you enter a brief description of the rule's intended behavior.
  3. Edit Tags: Add a custom tag that you would like to see attached to a message if the message matches this specific rule. To add a tag, follow the steps below:
    1. Click Add new tag.
    2. Enter a name for your tag.
    3. Click outside of the Add new tag field to create the tag.
  4. Choose Target: Select the part of the message you would like the rule to be applied to or run against. You may choose one of four targets from the drop-down menu. The targets include Raw, Headers, Body, or Attachments. By default, the rule will have Raw set as the target.
  5. YARA Rule Editor: Use this space to create your YARA Rule using either the Basic Editor or Advanced Editor. PhishER rules will only follow YARA Rule logic to disposition emails.
  6. Advanced Editor: Click this tab to create a YARA rule using the Advanced Editor. To learn more about writing YARA Rules, see our How to Write YARA Rules article. Editing a rule in the Advanced Editor will disable the Basic Editor for that rule.
  7. Save Rule: Click this button to save your rule. Your rule will then appear on the Rules List under the Custom Rules tab. Although your rule is saved, you must follow the steps below for the rule to run successfully:
    1. Enable your rule by turning on the toggle under the rule's Status.
    2. Then, click on the Apply Changes button in the top-right corner of the page.
  8. Apply Rule to Inbox: Run your rule against all of the messages in the inbox. At least one message must match your rule and preview rule criteria for this option to become available.
  9. Saved Query (optional): Choose a custom Saved Query to see how the rule affects messages in that query.
  10. Last 7 days: Select a date range for the messages you would like to preview. You can choose from three date ranges in the drop-down menu. The options include Last 24 hours, Last 7 days, and Last 30 days. By default, messages that were received in the last seven (7) days will be displayed.
  11. Run Preview: Preview how your rule would affect messages in your PhishER inbox. For more information, see the How to Preview a Rule section of this article.
  12. Matched Messages: Select the type of messages you would like to preview. This field will become available after you click the Preview Rule button. You can choose from three types of messages in the drop-down menu. The options include Matched Messages, Not-Matched Messages, or All Messages. By default, all Matched Messages will be displayed.

Back to top

 

How to Preview a Rule

If you would like to preview how a rule would affect your PhishER messages, you can do so by following the steps below:

  1. Navigate to PhishER > Rules.
  2. Click the New Rule button in the top-right corner of the page or select a rule from your Rules List.
  3. When you click the New Rule button, the Rule Details screen will open.
  4. Write or modify your YARA rule using the Rule Editor.
  5. Before saving your rule, click on the Preview Rule button. This will populate a list of all the messages in your PhishER inbox that match your rule.

    You can update the preview list by modifying the following criteria options:

    Matched Messages
    • Matched Messages (default)
    • Only messages in your PhishER inbox that match the condition of the rule will populate in the preview list.
    • Unmatched Messages
    • Only messages in your PhishER inbox that do not match the condition of the rule will populate in the preview list.
    • All Messages
    • All messages in your PhishER inbox will populate in the preview list. The Matched column (click to view) will indicate if the message matched (true) or did not match (false) the rule.
    Saved Query (optional)
    • Matched | Unmatched | All Messages in your custom Saved Query will populate in the preview list.
    •  
    Last 7 days
    • Last 24 hours
      Matched | Unmatched | All Messages received in the last 24 hours will populate in the preview list.
    • Last 7 days (default)
      Matched | Unmatched | All Messages received in the last 7 days will populate in the preview list.
    • Last 30 days
      Matched | Unmatched | All Messages received in the last 30 days will populate in the preview list.
  1. Click on the Apply Rule to Current Matches button if you would like to run this rule against all of the messages in the preview list.

Note:

If you would like to open a message displayed in the preview list, we recommend you open the message in a new tab to avoid losing your rule.

Back to top

 

How to Create an Action in PhishER

To create an action in PhishER, navigate to PhishER > Actions. Then, click on the New Action button in the top-right of the Post Actions screen.

This will open the Action Details page. At the top of the Action Details screen is the Name and Description field for your action. We recommend assigning a meaningful name and description to your action. By doing this, it may help you or other admins in your organization to easily recall or recognize the purpose of a particular action.

Below the Name and Description field are four sections to configure when creating your action. Click on the drop-down to learn more about each section.

Choose how this action should be triggered

  • Every Message
    All messages received will trigger this action.

  • No Tags
    All messages without a tag will trigger this action.

  • Specify Tags
    The HAS and DOESN'T HAVE option will appear. For either option, you can select All, Any, or Only. Then, specify the tags you want to include in this action. To add a tag, follow the steps below:

    1. Click on Add new tag and type in the name of the tag.
    2. Then, press Enter on your keyboard.

  • Manual Trigger Only
     This action will not automatically trigger. Instead, this action must be manually run by selecting it from the Run Action drop-down on the Inbox or Message Details screen.
Choose the action to be taken on matched messages


Note: Check an action to reveal drop-down options.


  • Set Status
    Assign a status to a message with this action. A message can have a status of Received, In Review, or Resolved.

    Set Priority
    Assign a priority to a message with this action. A message can be evaluated as having a Critical, High, Medium, Low, or Unknown priority.

  • Set Category
    Assign a category to a message with this action. A message can be categorized as Clean, Spam, Threat, or Unknown.

  • Add Tags
    Attach a custom tag to a message with this action. To add a tag:

    1. Click on Add new tag and type in the desired name of your tag.
    2. Then, press Enter on your keyboard.
    Repeat the above steps to attach additional tags to this action.
Choose how you would like to report this action

  • None
    This action will not be reported.

    Send to Syslog
    Send a report of this action to a Syslog server. Using the drop-down menu, you will have the option to select a specific Syslog server if you have one or more servers configured. If you have not configured a server, a link to your Syslog Settings will appear. Visit PhishER Settings for more information on how to integrate a Syslog server with PhishER.

     

  • Send Email
    Send a report of this action to a specific email address. You may create a custom email template to be sent when this option is selected. Note: If you would like to have the fields of your email template automatically populate, you can configure your Email Server settings accordingly.

     

  • For more information about using the email template editor, see our How to Create a Custom Email Template in PhishER article.

  • Send to KMSAT
     Send a report of this action to the KMSAT console. You may use this option to see how the Action will appear on the user timeline and the message ID that can be used to search in the PhishER console to see the message that the user has reported. The User Timeline will include whether the message is read or unread, the folder the message was found in, the message's category, and whether it was reported to PhishER. Note: This option will be enabled once you have entered your User Event API Key into the PhishER Settings.

  • Send to Webhook
     Send a report of this action to a Webhook. You may use this option to see how the Action will appear on the selected Webhook. When the Action is triggered, the Webhook will display the message details.

Choose whether or not to halt further actions

  • If you create an action that is set to halt further actions, each action located below this action will not run if the action is triggered. An action that is set to Stop executing further actions will be indicated on the Post Actions screen by having an open hand icon to the left of the Trigger Tags column.
Choose QuickActions settings

  • Include this action in the QuickActions bar
    The action will display in the Quick Actions bar (click to view) of your PhishER Inbox and in the Actions sidebar of the Message Details screen.

  • Add keyboard shortcut for this Action
    Use your keyboard to press a key. This key will be used as a keyboard shortcut for the specific action. Note: A keyboard shortcut cannot be shared across multiple actions. Each action must have a unique keyboard shortcut.

    Automatically move to Next item in list after Action completes
    If a message is selected and QuickActions are applied, the next message in your PhishER inbox will automatically appear.

Note:

A total of eight (8) actions can be added to your QuickActions bar.

Choose whether or not to permanently delete matching messages

  • If this option is selected, any new matching messages with the associated tags will be permanently deleted from your PhishER inbox when the action is triggered or run. Any past messages that also have the associated tag, will not be found or deleted when this action is triggered or run.
Find Similar Messages

  • If you choose to have this Action triggered for all messages, this section will be automatically disabled.

    If this option is enabled, you can select the criteria that you would like the Action to create a new PhishRIP Query when the Action is triggered. You can create KMSAT phishing templates by PhishFlipping all the found messages for the Action. You also make specific KMSAT phishing templates for only the emails that trigger the Action.

By default, your action will be active. Toggle the Active Status button in the top-right to make your action inactive. Note: For your action to take place, it must have an Active status. Once your action is configured, click the Save Action button in the top-right.

Then, your action will appear on your list of Post Actions. When you're satisfied with the arrangement of your actions, click on the Save Action Order button. To delete an action from your Post Actions list, click on the action. Then, click the Delete Action button in the top-right of the Action Details screen (see above screenshot).

Back to top

 

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles