Enhanced Action Logic



4 kommenttia

  • Virallinen kommentti
    Douglas Freeman

    Hi Jared,

    Thank you for posting to the community board! We do have some information on how PhishML operates you can find that here

    Although it may not cover the information exactly as you need it to create your rules. I would be glad to open a support ticket on your behalf and have one of our technicians take a closer look for you and possibly get that information you need on PML. 

    Just let us know if opening a ticket is something you'd want us to do for you! 


    Kommenttitoiminnot Pysyvä linkki
  • Avatar
    Stan Oleszkowicz

    I'd like to add my $0.02 to this suggestion.  It would be helpful to be able to set set different tags to be set at various confidence levels for each of the Threat, Span and Clean categories.  This would allow the following example:

    PML:THREAT_HIGH tag is assigned if the high confidence slider for Threat is set to a value of 100

    PML:THREAT_MEDIUM tag is assigned if the medium confidence slider for Threat is set to a value of 80

    PML:THREAT_LOW tag is assigned if the medium confidence slider for Threat is set to a value of 50

    This would allow for an action to be defined that automatically notifies the submitter that the message poses a threat for a high confidence level, but notifies the user (and the IT team) that more analysis is required for the medium or low level.  Low, Medium and High thresholds would be set for each of Clean, Spam and Threat, but this example focuses only on the Threat slider.  For VirusTotal having tags of VT:BAD_HIGH, VT:BAD_MEDIUM AND VT:BAD_LOW be assigned based on user defined number of engine detection thresholds would address the VirusTotal side of Jared's original suggestion.


    Kommenttitoiminnot Pysyvä linkki
  • Avatar
    Jared Anderson

    I understand how you can use PML settings to set the threshold. What I am asking for is the ability to make actions on more than just tags.


    Consider the following example.


    PML:Clean is set, but Virus total says bad. I want to create a rule that if PML:Clean was set because the confidence level was 95% and virus total reported only one scan engine said it was bad out of all of the scan engines, then resolve the email and mark it as clean.


    If PML:Clean was set at 75% but virustotal says bad with 75% of the scan engines reporting as bad, then mark the email as bad and don't resolve. 


    These types of rules are not currently possible. 

    Kommenttitoiminnot Pysyvä linkki
  • Avatar
    Douglas Freeman

    Thank you for the clarification Jared!

    You are correct that level of dispositioning is currently not available currently. I can see why that would be a much more enhanced indicator of what was considered "clean" or "threat".

    I'll go ahead and write up a feature request to our Development team on this one to let our Development team. PhishER is constantly evolving so I'm sure it's something they will take into consideration!

    Kommenttitoiminnot Pysyvä linkki

Kirjaudu sisään jättääksesi kommentin.