When analyzing reported emails, they are first checked against Rules. These are the YARA rules created for the emails.
Before reported emails are analyzed by IoC services, they are first checked against Rules, which are created using YARA rules. An email can be evaluated by one or more rules. If the email matches a rule, it receives the tag assigned to that rule and is displayed in the Reported Emails section with the corresponding tag.
As shown in the example, emails that match a YARA rule will receive the tags associated with those rules.
When you enter the Rules section, you will find two different tabs: Custom and System.
System Rules are the default rules that come with the application.
Custom Rules allow you to create your own rules as needed.
After entering the Name and Description, you can select one of the Target options to specify which part of the reported email the rule will operate on. This determines where the rule will be applied within the email. These areas can be selected as RAW, Headers, Body, or Attachments.
Tags and Pretest
Tags are used to identify which emails match specific rules. Under the Tags section, desired keywords can be defined. To see which reported emails a rule will apply to, the Pretest button can be used to test the rule before it is fully applied.
Pretest results are displayed in the Matched Reported Emails list, as shown in the visual.
