Menu

How Do I Create a Rule and Action in PhishER?

Avatar
Natalie Koly
Updated
Follow

Creating Rules and Actions in PhishER

See below for detailed information about how to create rules and actions in PhishER.

Jump to:
How to Create Rules in PhishER

How to Create Actions in PhishER

 

How to Create a Rule in PhishER

To create a rule in PhishER, navigate to PhishER > Rules. Then, click on the New Rule button in the top-right. This will open the Rule Details screen.

  1. Name The unique name you assign to your rule. We recommend using a meaningful name to best reflect the intended behavior of the rule.
  2. Description (optional) A custom description of your rule. For best practices, we recommend providing a brief description of your rule's intended behavior.
  3. Edit Tags Add a custom tag you would like to see attached to a message if it matches this specific rule. To add a tag:
    1. Click on Add new tag and type in the desired name of your tag.
    2. Then, press Enter on your keyboard.
  4. Choose Target Select the part of the message you would like the rule to be applied to or run against. There are four targets you may choose from in the drop-down: Raw, Headers, Body, or Attachments. By default, the rule will have Raw set as the target.
  5. Rule Editor Use this space to write the logic of your YARA Rule. PhishER rules will only follow YARA Rule logic to disposition emails. Visit here to learn more about writing YARA Rules.
  6. Matched Messages Select the type of messages you would like to preview. This field will become available after you click the Preview Rule button. In the drop-down, there are three types of messages you may choose from: Matched Messages, Not-Matched Messages, or All Messages. By default, all Matched Messages will be displayed.
  7. Apply Rule to Current Matches Run your rule against all of the messages in the preview list. At least one message must match your rule and preview rule criteria for this option to become available.
  8. Saved Query (optional) Choose a custom Saved Query to see how the rule affects messages in that query.
  9. Last 7 days Select a date range for the messages you would like to preview. In the drop-down, there are three date ranges you may choose from: By default, messages that were received in the last seven (7) days will be displayed.
  10. Preview Rule Preview how your rule would affect messages in your PhishER inbox. Visit our How to Preview a Rule section for more information.

Once you are done writing your rule, click on the Save Rule button in the top-right of the screen. Your rule will then appear on the Rules List under the Custom Rules tab. Although your rule is saved, the following must be done for the rule to run:

  1. Enable your rule using the toggle under the rule's Status.
  2. Then, click on the Apply Changes button in the top-right.

Note:

For all rule changes to be acknowledged, the Apply Changes button must be clicked. Then, all enabled rules will run against incoming messages. Messages received prior to your rule change(s) will not be affected.

To edit a Custom Rule, click on the Name or Description of the rule from the Rules List. This will open the Rule Details screen. If you would like to edit a System Rule, first create a new Custom Rule. Then, copy and paste the logic of the System Rule into the rule editor of your Custom Rule.

Back to top

 

How to Preview a Rule

If you would like to preview how a rule would affect your PhishER messages, you can do so by following the steps below:

  1. Navigate to PhishER > Rules. Then, click on the New Rule button in the top-right or select a rule from your Rules List. This will open the Rule Details screen.
  2. Write or modify your YARA rule using the Rule Editor.
  3. Before saving your rule, click on the Preview Rule button. This will populate a list of all the messages in your PhishER inbox that match your rule.

    You can update the preview list by modifying the following criteria options:

    Matched Messages
    • Matched Messages (default)
    • Only messages in your PhishER inbox that match the condition of the rule will populate in the preview list.
    • Unmatched Messages
    • Only messages in your PhishER inbox that do not match the condition of the rule will populate in the preview list.
    • All Messages
    • All messages in your PhishER inbox will populate in the preview list. The Matched column (click to view) will indicate if the message matched (true) or did not match (false) the rule.
    Saved Query (optional)
    • Matched | Unmatched | All Messages in your custom Saved Query will populate in the preview list.
    Last 7 days
    • Last 24 hours
      Matched | Unmatched | All Messages received in the last 24 hours will populate in the preview list.
    • Last 7 days (default)
      Matched | Unmatched | All Messages received in the last 7 days will populate in the preview list.
    • Last 30 days
      Matched | Unmatched | All Messages received in the last 30 days will populate in the preview list.
  1. Click on the Apply Rule to Current Matches button if you would like to run this rule against all of the messages in the preview list.

Note:

If you would like to open a message displayed in the preview list, we recommend you open the message in a new tab to avoid losing your rule.

Back to top

 

How to Create an Action in PhishER

To create an action in PhishER, navigate to PhishER > Actions. Then, click on the New Action button in the top-right of the Post Actions screen.

This will open the Action Details page. At the top of the Action Details screen is the Name and Description field for your action. We recommend assigning a meaningful name and description to your action. By doing this, it may help you or other admins in your organization to easily recall or recognize the purpose of a particular action.

Below the Name and Description field are four sections to configure when creating your action. Click on the drop-down to learn more about each section.

Choose how this action should be triggered

  • Every Message
    All messages received will trigger this action.

  • No Tags
    All messages without a tag will trigger this action.

  • Specify Tags
    The HAS and DOESN'T HAVE option will appear. For either option, you can select All, Any, or Only. Then, specify the tags you want to include in this action. To add a tag, follow the steps below:

    1. Click on Add new tag and type in the name of the tag.
    2. Then, press Enter on your keyboard.

  • Manual Trigger Only
     This action will not automatically trigger. Instead, this action must be manually run by selecting it from the Run Action drop-down on the Inbox or Message Details screen.
Choose the action to be taken on matched messages


Note: Check an action to reveal drop-down options.


  • Set Status
    Assign a status to a message with this action. A message can have a status of Received, In Review, or Resolved.

    Set Priority
    Assign a priority to a message with this action. A message can be evaluated as having a Critical, High, Medium, Low, or Unknown priority.

  • Set Category
    Assign a category to a message with this action. A message can be categorized as Clean, Spam, Threat, or Unknown.

  • Add Tags
    Attach a custom tag to a message with this action. To add a tag:

    1. Click on Add new tag and type in the desired name of your tag.
    2. Then, press Enter on your keyboard.
    Repeat the above steps to attach additional tags to this action.
Choose how you would like to report this action

  • None
    This action will not be reported.

    Send to Syslog
    Send a report of this action to a Syslog server. Using the drop-down menu, you will have the option to select a specific Syslog server if you have one or more servers configured. If you have not configured a server, a link to your Syslog Settings will appear. Visit PhishER Settings for more information on how to integrate a Syslog server with PhishER.

  • Send Email
    Send a report of this action to a specific email address. You may create a custom email template to be sent when this option is selected. Note: If you would like to have the fields of your email template automatically populate, you can configure your Email Server settings accordingly.

Choose whether or not to halt further actions

  • If you create an action that is set to halt further actions, each action located below this action will not run if the action is triggered. An action that is set to Stop executing further actions will be indicated on the Post Actions screen by having an open hand icon to the left of the Trigger Tags column.
Choose QuickAction settings

  • Include this action in the QuickAction bar
    The action will display in the Quick Actions bar (click to view) of your PhishER Inbox and in the Actions sidebar of the Message Details screen.

  • Add keyboard shortcut for this Action
    Use your keyboard to press a key. This key will be used as a keyboard shortcut for the specific action. Note: A keyboard shortcut cannot be shared across multiple actions. Each action must have a unique keyboard shortcut.

    Automatically move to Next item in list after Action completes
    If a message is selected and a QuickAction is applied, the next message in your PhishER inbox will automatically appear.

Note:

A total of eight (8) actions can be added to your QuickAction bar.

Choose whether or not to permanently delete matching messages

  • If this option is selected, all matching messages will be permanently deleted from your PhishER inbox when the action is triggered or run.

By default, your action will be active. Toggle the Active Status button in the top-right to make your action inactive. Note: For your action to take place, it must have an Active status. Once your action is configured, click the Save Action button in the top-right.

Then, your action will appear on your list of Post Actions. When you're satisfied with the arrangement of your actions, click on the Save Action Order button. To delete an action from your Post Actions list, click on the action. Then, click the Delete Action button in the top-right of the Action Details screen (see above screenshot).

Back to top

 

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles