Creating Rules and Actions in PhishER
See below for detailed information about how to create rules and actions in PhishER.
Jump to:
How to Create Rules in PhishER
- How to Create a Rule Using the Basic Editor
- How to Create a Rule Using the Advanced Editor
- How to Preview a Rule
How to Create Actions in PhishER
How to Create a Rule in PhishER
You can create custom rules in your PhishER platform to disposition emails forwarded to your PhishER inbox. To create your rules, you can use either the Basic Editor or Advanced Editor. All custom rules must follow Yet Another Recursive/Ridiculous Acronym (YARA) logic. YARA is a tool used to identify and classify malware samples.
To create a rule in PhishER, follow the steps below:
- Log in to your PhishER platform.
- Navigate to PhishER > Rules.
- Click the New Rule button at the top-right corner of the page. When you click the button, the Rule Details screen will open. On this page, you can create a rule using either the Basic Editor or the Advanced Editor.
To edit a Custom Rule, click on the Name or Description of the rule from the Rules List. This will open the Rule Details screen. If you would like to edit a System Rule, create a new Custom Rule. Then, copy and paste the logic of the System Rule into the rule editor of your Custom Rule.
Note: For all rule changes to be acknowledged, you must click the Apply Changes button. Then, all enabled rules will run against incoming messages. Messages received prior to your rule change(s) will not be affected.
To learn how to create a rule using the Basic Editor or the Advanced Editor, see the subsections below.
How to Create a Rule Using the Basic Editor
The Basic Editor guides you through creating a custom rule. To learn how to create a rule using the Basic Editor, see the screenshot and list below:
-
- Name: Enter a unique name for your rule. We recommend that you enter a name that reflects the intended behavior of the rule. The name cannot start with a numerical value, exceed 128 characters, or be one of these keywords.
- Description (optional): Enter a description of your rule. As a best practice, we recommend that you enter a brief description of the rule's intended behavior.
- Edit Tags: Add a custom tag that you would like to see attached to a message if the message matches this specific rule. To add a tag, follow the steps below:
- Click Add new tag.
- Enter a name for your tag.
- Click outside of the Add new tag field to create the tag.
- Choose Target: Select the part of the message you would like the rule to be applied to or run against. You may choose one of four targets from the drop-down menu. The targets include Raw, Headers, Body, or Attachments. By default, the rule will have Raw set as the target.
- YARA Rule Editor: Use this space to create your YARA Rule using either the Basic Editor or Advanced Editor. PhishER rules will only follow YARA Rule logic to disposition emails.
- Basic Editor: Click this tab to create a YARA rule using the Basic Editor. Editing a rule in the Advanced Editor will disable the Basic Editor for that rule.
- Create Strings: Create and define strings to use when creating your conditions. For more information about creating strings in the Basic Editor, see our How Do I Create Strings and Conditions in the Basic Editor? article.
- New String: Click this button to add a string to the rule. You can create up to five strings per rule.
- Create Conditions: Create conditions by selecting how your defined strings should relate to each other. Conditions are used to express what emails you want your rule to detect. You can select from the following options:
- Match any of the defined strings: Select this option to detect emails that match any of your defined strings.
- Match all of the defined strings: Select this option to detect emails that match all of your defined strings.
- Custom conditions: Select this option to detect emails that match your custom conditions.
See our How Do I Create Strings and Conditions in the Basic Editor? article for more information.
- New Condition Group: This button is only available when the Custom conditions option is selected. You can click this button to create custom conditions that emails must meet to be detected by the rule.
- Save Rule: Click this button to save your rule. Your rule will then appear on the Rules List under the Custom Rules tab. Although your rule is saved, you must follow the steps below for the rule to run successfully:
- Enable your rule by turning on the toggle under the rule's Status.
- Then, click on the Apply Changes button in the top-right corner of the page.
- Apply Rule to Inbox: Run your rule against all of the messages in the inbox. At least one message must match your rule and preview rule criteria for this option to become available.
- Saved Query (optional): Choose a custom Saved Query to see how the rule affects messages in that query.
- Last 7 days: Select a date range for the messages you would like to preview. You can choose from three date ranges in the drop-down menu. The options include Last 24 hours, Last 7 days, and Last 30 days. By default, messages that were received in the last seven (7) days will be displayed.
- Run Preview: Preview how your rule would affect messages in your PhishER inbox. For more information, see the How to Preview a Rule section of this article.
- Matched Messages: Select the type of messages you would like to preview. This field will become available after you click the Preview Rule button. You can choose from three types of messages in the drop-down menu. The options include Matched Messages, Not-Matched Messages, or All Messages. By default, all Matched Messages will be displayed.
How to Create a Rule Using the Advanced Editor
The Advanced Editor allows you to write the logic of your YARA Rule without guidance. To learn how to create a rule using the Advanced Editor, see the screenshot and list below:
- Name: Enter a unique name for your rule. We recommend that you enter a name that reflects the intended behavior of the rule.
- Description (optional): Enter a description of your rule. As a best practice, we recommend that you enter a brief description of the rule's intended behavior.
- Edit Tags: Add a custom tag that you would like to see attached to a message if the message matches this specific rule. To add a tag, follow the steps below:
- Click Add new tag.
- Enter a name for your tag.
- Click outside of the Add new tag field to create the tag.
- Choose Target: Select the part of the message you would like the rule to be applied to or run against. You may choose one of four targets from the drop-down menu. The targets include Raw, Headers, Body, or Attachments. By default, the rule will have Raw set as the target.
- YARA Rule Editor: Use this space to create your YARA Rule using either the Basic Editor or Advanced Editor. PhishER rules will only follow YARA Rule logic to disposition emails.
- Advanced Editor: Click this tab to create a YARA rule using the Advanced Editor. To learn more about writing YARA Rules, see our How to Write YARA Rules article. Editing a rule in the Advanced Editor will disable the Basic Editor for that rule.
- Save Rule: Click this button to save your rule. Your rule will then appear on the Rules List under the Custom Rules tab. Although your rule is saved, you must follow the steps below for the rule to run successfully:
- Enable your rule by turning on the toggle under the rule's Status.
- Then, click on the Apply Changes button in the top-right corner of the page.
- Apply Rule to Inbox: Run your rule against all of the messages in the inbox. At least one message must match your rule and preview rule criteria for this option to become available.
- Saved Query (optional): Choose a custom Saved Query to see how the rule affects messages in that query.
- Last 7 days: Select a date range for the messages you would like to preview. You can choose from three date ranges in the drop-down menu. The options include Last 24 hours, Last 7 days, and Last 30 days. By default, messages that were received in the last seven (7) days will be displayed.
- Run Preview: Preview how your rule would affect messages in your PhishER inbox. For more information, see the How to Preview a Rule section of this article.
- Matched Messages: Select the type of messages you would like to preview. This field will become available after you click the Preview Rule button. You can choose from three types of messages in the drop-down menu. The options include Matched Messages, Not-Matched Messages, or All Messages. By default, all Matched Messages will be displayed.
How to Preview a Rule
If you would like to preview how a rule would affect your PhishER messages, you can do so by following the steps below:
- Navigate to PhishER > Rules.
- Click the New Rule button in the top-right corner of the page or select a rule from your Rules List.
- When you click the New Rule button, the Rule Details screen will open.
- Write or modify your YARA rule using the Rule Editor.
- Before saving your rule, click on the Preview Rule button. This will populate a list of all the messages in your PhishER inbox that match your rule.
You can update the preview list by modifying the following criteria options:
Matched Messages- Matched Messages (default)
- Only messages in your PhishER inbox that match the condition of the rule will populate in the preview list.
- Unmatched Messages
- Only messages in your PhishER inbox that do not match the condition of the rule will populate in the preview list.
- All Messages
- All messages in your PhishER inbox will populate in the preview list. The Matched column (click to view) will indicate if the message matched (true) or did not match (false) the rule.
Saved Query (optional)- Matched | Unmatched | All Messages in your custom Saved Query will populate in the preview list.
Last 7 days- Last 24 hours
Matched | Unmatched | All Messages received in the last 24 hours will populate in the preview list. - Last 7 days (default)
Matched | Unmatched | All Messages received in the last 7 days will populate in the preview list. - Last 30 days
Matched | Unmatched | All Messages received in the last 30 days will populate in the preview list.
- Click on the Apply Rule to Current Matches button if you would like to run this rule against all of the messages in the preview list.
Note:
If you would like to open a message displayed in the preview list, we recommend you open the message in a new tab to avoid losing your rule.
How to Create an Action in PhishER
To create an action in PhishER, navigate to PhishER > Actions. Then, click on the New Action button in the top-right of the Post Actions screen.
This will open the Action Details page. At the top of the Action Details screen is the Name and Description field for your action. We recommend assigning a meaningful name and description to your action. By doing this, it may help you or other admins in your organization to easily recall or recognize the purpose of a particular action.
Below the Name and Description field are four sections to configure when creating your action. Click on the drop-down to learn more about each section.
- Every Message
All messages received will trigger this action.
No Tags
All messages without a tag will trigger this action.
Specify Tags
The HAS and DOESN'T HAVE option will appear. For either option, you can select All, Any, or Only. Then, specify the tags you want to include in this action. To add a tag, follow the steps below:- Click on Add new tag and type in the name of the tag.
- Then, press Enter on your keyboard.
Manual Trigger Only
This action will not automatically trigger. Instead, this action must be manually run by selecting it from the Run Action drop-down on the Inbox or Message Details screen.
Note: Check an action to reveal drop-down options.
Set Status
Assign a status to a message with this action. A message can have a status of Received, In Review, or Resolved.
Set Priority
Assign a priority to a message with this action. A message can be evaluated as having a Critical, High, Medium, Low, or Unknown priority.
Set Category
Assign a category to a message with this action. A message can be categorized as Clean, Spam, Threat, or Unknown.
Add Tags
Attach a custom tag to a message with this action. To add a tag:- Click on Add new tag and type in the desired name of your tag.
- Then, press Enter on your keyboard.
- None
This action will not be reported.
Send to Syslog
Send a report of this action to a Syslog server. Using the drop-down menu, you will have the option to select a specific Syslog server if you have one or more servers configured. If you have not configured a server, a link to your Syslog Settings will appear. Visit PhishER Settings and Whitelisting in Syslog for more information on how to integrate a Syslog server with PhishER. - Send Email
Send a report of this action to a specific email address. You may create a custom email template to be sent when this option is selected. Note: If you would like to have the fields of your email template automatically populate, you can configure your Email Server settings accordingly. - For more information about using the email template editor, see our How to Create a Custom Email Template in PhishER article.
-
- Send to KMSAT
Send a report of this action to the KMSAT console. You may use this option to see how the Action will appear on the user timeline and the message ID that can be used to search in the PhishER console to see the message that the user has reported. The User Timeline will include whether the message is read or unread, the folder the message was found in, the message's category, and whether it was reported to PhishER. Note: This option will be enabled once you have entered your User Event API Key into the PhishER Settings. - Send to Webhook
Send a report of this action to a Webhook. You may use this option to see how the Action will appear on the selected Webhook. When the Action is triggered, the Webhook will display the message details.
- If you create an action that is set to halt further actions, each action located below this action will not run if the action is triggered. An action that is set to Stop executing further actions will be indicated on the Post Actions screen by having an open hand icon to the left of the Trigger Tags column.
- Include this action in the QuickActions bar
The action will display in the Quick Actions bar (click to view) of your PhishER Inbox and in the Actions sidebar of the Message Details screen.
- Add keyboard shortcut for this Action
Use your keyboard to press a key. This key will be used as a keyboard shortcut for the specific action. Note: A keyboard shortcut cannot be shared across multiple actions. Each action must have a unique keyboard shortcut.
Automatically move to Next item in list after Action completes
If a message is selected and QuickActions are applied, the next message in your PhishER inbox will automatically appear.
Note:
A total of eight (8) actions can be added to your QuickActions bar.
- If this option is selected, any new matching messages with the associated tags will be permanently deleted from your PhishER inbox when the action is triggered or run. Any past messages that also have the associated tag, will not be found or deleted when this action is triggered or run.
-
If you choose to have this Action triggered for all messages, this section will be automatically disabled.
If this option is enabled, you can select the criteria that you would like the Action to create a new PhishRIP Query when the Action is triggered. You can create KMSAT phishing templates by PhishFlipping all the found messages for the Action. You also make specific KMSAT phishing templates for only the emails that trigger the Action.
By default, your action will be active. Toggle the Active Status button in the top-right to make your action inactive. Note: For your action to take place, it must have an Active status. Once your action is configured, click the Save Action button in the top-right.
Then, your action will appear on your list of Post Actions. When you're satisfied with the arrangement of your actions, click on the Save Action Order button. To delete an action from your Post Actions list, click on the action. Then, click the Delete Action button in the top-right of the Action Details screen (see above screenshot).
Comments
0 comments
Article is closed for comments.