See below for detailed information about how to create rules and actions in PhishER.
How to Create a Rule in PhishER
To create a rule in PhishER, navigate to PhishER > Rules. Then, click on the New Rule button in the top-right. This will open the Rule Details screen.
- Name The unique name you assign to your rule. We recommend using a meaningful name to best reflect the intended behavior of the rule.
- Description (optional) A custom description of your rule. For best practices, we recommend providing a brief description of your rule's intended behavior.
- Edit Tags Add a custom tag you would like to see attached to a message if it matches this specific rule. To add a tag:
- Click on Add new tag and type in the desired name of your tag.
- Then, press Enter on your keyboard.
- Choose Target Select the part of the message you would like the rule to be applied to or run against. There are four targets you may choose from in the drop-down: Raw, Headers, Body, or Attachments. By default, the rule will have Raw set as the target.
- Rule Editor Use this space to write the logic of your YARA Rule. PhishER rules will only follow YARA Rule logic to disposition emails. Visit here to learn more about writing YARA Rules.
Once you are done writing your rule, click on the Save Rule button in the top-right of the screen. Your rule will then appear on the Rules List under the Custom Rules tab. Although your rule is saved, the following must be done for the rule to run:
- Enable your rule using the toggle under the rule's Status.
- Then, click on the Apply Changes button in the top-right.
For all rule changes to be acknowledged, the Apply Changes button must be clicked. Then, all enabled rules will run against incoming messages. Messages received prior to your rule change(s) will not be affected.
To edit a Custom Rule, click on the Name or Description of the rule from the Rules List. This will open the Rule Details screen. If you would like to edit a System Rule, first create a new Custom Rule. Then, copy and paste the logic of the System Rule into the rule editor of your Custom Rule.
How to Create an Action in PhishER
To create an action in PhishER, navigate to PhishER > Actions. Then, click on the New Action button in the top-right of the Post Actions screen.
This will open the Action Details page. At the top of the Action Details screen is the Name and Description field for your action. We recommend assigning a meaningful name and description to your action. By doing this, it may help you or other admins in your organization to easily recall or recognize the purpose of a particular action.
Below the Name and Description field are four sections to configure when creating your action. Click on the drop-down to learn more about each section.
- Every Message
All messages received will trigger this action.
All messages without a tag will trigger this action.
The HAS and DOESN'T HAVE option will appear. For either option, you can select All, Any, or Only. Then, specify the tags you want to include in this action.
Note: Check an action to reveal drop-down options.
Assign a status to a message with this action. A message can have a status of Received, In Review, or Resolved.
- Set Priority
Assign a priority to a message with this action. A message can be evaluated as having a Critical, High, Medium, Low, or Unknown priority.
- Set Category
Assign a category to a message with this action. A message can be categorized as Clean, Spam, Threat, or Unknown.
This action will not be reported.
- Send to Syslog
Send a report of this action to a Syslog server. Using the drop-down menu, you will have the option to select a specific Syslog server if you have one or more servers configured. If you have not configured a server, a link to your Syslog Settings will appear. Visit PhishER Settings for more information on how to integrate a Syslog server with PhishER.
Send a report of this action to a specific email address. You may create a custom email template to be sent when this option is selected. Note: If you would like to have the fields of your email template automatically populate, you can configure your Email Server settings accordingly.
- If you create an action that is set to halt further actions, each action located below this action will not run if the action is triggered. An action that is set to Stop executing further actions will be indicated on the Post Actions screen by having an open hand icon to the left of the Trigger Tags column.
By default, your action will be active. Toggle the Active Status button in the top-right to make your action inactive. Note: For your action to take place, it must have an Active status. Once your action is configured, click the Save Action button in the top-right.
Then, your action will appear on your list of Post Actions. When you're satisfied with the arrangement of your actions, click on the Save Action Order button. To delete an action from your Post Actions list, click on the action. Then, click the Delete Action button in the top-right of the Action Details screen (see above screenshot).