Actions

Actions, you can create new actions and view existing ones. Actions can be used manually or defined within a playbook. To create a new action, click the Create New Action button, as highlighted in the visual.

Create Actions

In the action creation screen, you first need to specify a name. Then, you can choose between Manual or Important options for the action being created.

If the Manual option is selected, the action can be applied both automatically and manually. The automatic execution of the action depends on it being defined in a playbook and matching a reported email.

When the Important option is selected, all other actions are halted, and only the action marked as Important will be executed. This applies to both manually and automatically triggered actions.

Manuel Actions

When actions are to be applied manually, navigate to the email detail screen from the Reported Emails page. Then, click the Take Action button, as highlighted in the visual, to manually apply the desired action.

 

Automatic Actions

The automatic execution of actions is dependent on the reported email matching the conditions defined in the created Playbooks.

As shown in the visual example, the action to be applied is INVESTIGATE FIND when SENDER CONTAINS, and it is triggered automatically when it matches the playbook, as specified under Matched Clauses (FROM CONTAINS @outlook.com). When this condition is met, the action is executed automatically.

Under the Action Executions section, automatically applied actions are displayed. Additionally, by using the Incident Management button, you can view the actions and intervene if you need to stop them.

Select Actions

Actions are categorized into 8 groups.

  1. Status: Actions are used to group emails, with grouping options including Clean, Phishing, Spam, and Unknown.
  2. Priority: Actions are also used to assign priorities to reported emails. The priority levels available are Low, Medium, High, and Urgent. For example, a high-priority action can be applied to a domain address defined in a playbook.
  3. Category: This action is applied to move reported emails to the Completed Incidents section.
  4. Investigate: Actions applied to emails are determined based on specific conditions. The first condition selected is Search Base. With Search Base, you can choose from the following options: Subject, Sender, Subject and Sender, or Message ID.
    After this step, the Match Base selection is made. It consists of two conditions: Contains and Equals.
    Contain, all emails that include the specified keywords in the selected Search Base will be displayed. For example, if “outlook” is chosen as the Search Base, all emails containing “outlook” will be shown.
    Equal, the matches must be exact. For instance, if “test@outlook.com” is specified, only emails that exactly match “test@outlook.com” will be included. The example results will vary depending on the Search Base selection. For instance, if you select Subject, the results will focus on email subjects. If Sender is selected, the results will be based on the sender’s email address, and so on, aligning with the chosen Search Base criteria.
    After selecting the conditions, you choose the action to be applied under the Process section. This is where you define the specific action that should be executed based on the selected conditions.
  1. Notify: After actions are applied to emails, notifications are sent to the selected users. The following options are available for notifications:
    • Attach EML: The reported email is attached to the notification email.
    • Notify Reporters: A notification email is sent to the users who reported the email.
    • Select Language: The language of the notification emails is selected.
    • Use Recipients’ Language Preference: If the recipient has a preferred language set, the notification is sent in that language.
  1. Syslog: Details related to the applied action are sent to the predefined syslog server for logging and monitoring purposes.
  2. Tag: A custom tag is added to the emails on which an action has been applied. The added tag is then displayed in the Reported Emails section.
  3. Stop: When the Stop action is applied, IoC scans are not performed on the reported email.