See below for detailed information about how to create rules and actions in PhishER.
How to Create Rules in PhishER
How to Create a Rule in PhishER
To create a rule in PhishER, navigate to PhishER > Rules. Then, click on the New Rule button in the top-right. This will open the Rule Details screen.
- Name The unique name you assign to your rule. We recommend using a meaningful name to best reflect the intended behavior of the rule.
- Description (optional) A custom description of your rule. For best practices, we recommend providing a brief description of your rule's intended behavior.
- Edit Tags Add a custom tag you would like to see attached to a message if it matches this specific rule. To add a tag:
- Click on Add new tag and type in the desired name of your tag.
- Then, click away to create the tag.
- Choose Target Select the part of the message you would like the rule to be applied to or run against. There are four targets you may choose from in the drop-down: Raw, Headers, Body, or Attachments. By default, the rule will have Raw set as the target.
- Rule Editor Use this space to write the logic of your YARA Rule. PhishER rules will only follow YARA Rule logic to disposition emails. Visit our How to Write YARA Rules article to learn more about writing YARA Rules.
- Matched Messages Select the type of messages you would like to preview. This field will become available after you click the Preview Rule button. In the drop-down, there are three types of messages you may choose from: Matched Messages, Not-Matched Messages, or All Messages. By default, all Matched Messages will be displayed.
- Apply Rule to Current Matches Run your rule against all of the messages in the preview list. At least one message must match your rule and preview rule criteria for this option to become available.
- Saved Query (optional) Choose a custom Saved Query to see how the rule affects messages in that query.
- Last 7 days Select a date range for the messages you would like to preview. In the drop-down, there are three date ranges you may choose from: By default, messages that were received in the last seven (7) days will be displayed.
- Preview Rule Preview how your rule would affect messages in your PhishER inbox. Visit the How to Preview a Rule section for more information.
Once you are done writing your rule, click on the Save Rule button in the top-right of the screen. Your rule will then appear on the Rules List under the Custom Rules tab. Although your rule is saved, the following must be done for the rule to run:
- Enable your rule using the toggle under the rule's Status.
- Then, click on the Apply Changes button in the top-right.
For all rule changes to be acknowledged, the Apply Changes button must be clicked. Then, all enabled rules will run against incoming messages. Messages received prior to your rule change(s) will not be affected.
To edit a Custom Rule, click on the Name or Description of the rule from the Rules List. This will open the Rule Details screen. If you would like to edit a System Rule, first create a new Custom Rule. Then, copy and paste the logic of the System Rule into the rule editor of your Custom Rule.
How to Preview a Rule
If you would like to preview how a rule would affect your PhishER messages, you can do so by following the steps below:
- Navigate to PhishER > Rules. Then, click on the New Rule button in the top-right or select a rule from your Rules List. This will open the Rule Details screen.
- Write or modify your YARA rule using the Rule Editor.
- Before saving your rule, click on the Preview Rule button. This will populate a list of all the messages in your PhishER inbox that match your rule.
You can update the preview list by modifying the following criteria options:Matched Messages
Saved Query (optional)
- Matched Messages (default)
- Only messages in your PhishER inbox that match the condition of the rule will populate in the preview list.
- Unmatched Messages
- Only messages in your PhishER inbox that do not match the condition of the rule will populate in the preview list.
- All Messages
- All messages in your PhishER inbox will populate in the preview list. The Matched column (click to view) will indicate if the message matched (true) or did not match (false) the rule.
Last 7 days
- Matched | Unmatched | All Messages in your custom Saved Query will populate in the preview list.
- Last 24 hours
Matched | Unmatched | All Messages received in the last 24 hours will populate in the preview list.
- Last 7 days (default)
Matched | Unmatched | All Messages received in the last 7 days will populate in the preview list.
- Last 30 days
Matched | Unmatched | All Messages received in the last 30 days will populate in the preview list.
- Click on the Apply Rule to Current Matches button if you would like to run this rule against all of the messages in the preview list.
If you would like to open a message displayed in the preview list, we recommend you open the message in a new tab to avoid losing your rule.
How to Create an Action in PhishER
To create an action in PhishER, navigate to PhishER > Actions. Then, click on the New Action button in the top-right of the Post Actions screen.
This will open the Action Details page. At the top of the Action Details screen is the Name and Description field for your action. We recommend assigning a meaningful name and description to your action. By doing this, it may help you or other admins in your organization to easily recall or recognize the purpose of a particular action.
Below the Name and Description field are four sections to configure when creating your action. Click on the drop-down to learn more about each section.
- Every Message
All messages received will trigger this action.
All messages without a tag will trigger this action.
The HAS and DOESN'T HAVE option will appear. For either option, you can select All, Any, or Only. Then, specify the tags you want to include in this action. To add a tag, follow the steps below:
- Click on Add new tag and type in the name of the tag.
- Then, press Enter on your keyboard.
Manual Trigger Only
This action will not automatically trigger. Instead, this action must be manually run by selecting it from the Run Action drop-down on the Inbox or Message Details screen.
Note: Check an action to reveal drop-down options.
Assign a status to a message with this action. A message can have a status of Received, In Review, or Resolved.
Assign a priority to a message with this action. A message can be evaluated as having a Critical, High, Medium, Low, or Unknown priority.
Assign a category to a message with this action. A message can be categorized as Clean, Spam, Threat, or Unknown.
Attach a custom tag to a message with this action. To add a tag:
- Click on Add new tag and type in the desired name of your tag.
- Then, press Enter on your keyboard.
This action will not be reported.
Send to Syslog
Send a report of this action to a Syslog server. Using the drop-down menu, you will have the option to select a specific Syslog server if you have one or more servers configured. If you have not configured a server, a link to your Syslog Settings will appear. Visit PhishER Settings for more information on how to integrate a Syslog server with PhishER.
- Send Email
Send a report of this action to a specific email address. You may create a custom email template to be sent when this option is selected. Note: If you would like to have the fields of your email template automatically populate, you can configure your Email Server settings accordingly.
- Send to KMSAT
Send a report of this action to the KMSAT console. You may use this option to see how the Action will appear on the user timeline and the message ID that can be used to search in the PhishER console to see the message that the user has reported. The User Timeline will include whether the message is read or unread, the folder the message was found in, the message's category, and whether it was reported to PhishER. Note: This option will be enabled once you have entered your User Event API Key into the PhishER Settings.
- Send to Webhook
Send a report of this action to a Webhook. You may use this option to see how the Action will appear on the selected Webhook. When the Action is triggered, the Webhook will display the message details.
- If you create an action that is set to halt further actions, each action located below this action will not run if the action is triggered. An action that is set to Stop executing further actions will be indicated on the Post Actions screen by having an open hand icon to the left of the Trigger Tags column.
- Include this action in the QuickActions bar
The action will display in the Quick Actions bar (click to view) of your PhishER Inbox and in the Actions sidebar of the Message Details screen.
- Add keyboard shortcut for this Action
Use your keyboard to press a key. This key will be used as a keyboard shortcut for the specific action. Note: A keyboard shortcut cannot be shared across multiple actions. Each action must have a unique keyboard shortcut.
Automatically move to Next item in list after Action completes
If a message is selected and QuickActions are applied, the next message in your PhishER inbox will automatically appear.
A total of eight (8) actions can be added to your QuickActions bar.
- If this option is selected, any new matching messages with the associated tags will be permanently deleted from your PhishER inbox when the action is triggered or run. Any past messages that also have the associated tag, will not be found or deleted when this action is triggered or run.
If you choose to have this Action triggered for all messages, this section will be automatically disabled.
If this option is enabled, you can select the criteria that you would like the Action to create a new PhishRIP Query when the Action is triggered. You can create KMSAT phishing templates by PhishFlipping all the found messages for the Action. You also make specific KMSAT phishing templates for only the emails that trigger the Action.
By default, your action will be active. Toggle the Active Status button in the top-right to make your action inactive. Note: For your action to take place, it must have an Active status. Once your action is configured, click the Save Action button in the top-right.
Then, your action will appear on your list of Post Actions. When you're satisfied with the arrangement of your actions, click on the Save Action Order button. To delete an action from your Post Actions list, click on the action. Then, click the Delete Action button in the top-right of the Action Details screen (see above screenshot).