VIPRE Integrated Email Security (IES)'s Action Rules under the Settings menu allow you to enable powerful and customizable rules for your email. 

The Anatomy of an Action Rule

Before we discuss how to configure an action rule, let's first examine its different parts.

In the example shown in the screenshot below, you can see what makes up the body of a VIPRE IES Action Rule. 

1. Name of the action rule
2. Description of the action rule
3. Rule Expression: any(analysis.detections, .engine == "Vipre Spam" && .severity != "CRITICAL") This shows that this particular action applies to emails that are detected by the VIPRE AntiSpam engine with a Critical severity
4. Actions: Quarantine, Notify Recipient
5. Option to stop evaluating other action rules on match is checked
6. Option to enable this action rule is checked
7. Edit: Make changes to your action rule
8. Trash: Delete your action rule

Default Action Rule

There is one action rule included in VIPRE IES by default. 

• Quarantine Malicious Email: This action rule includes a rule expression that will quarantine all emails that are deemed to be malicious and will send an email notification to the end-user or recipient of the email; applies to Inline Mode only

To verify that the existing action rule will meet the needs of your organization:

1. From within the VIPRE IES web console, navigate to Settings > Action Rules
2. On the Action Rules screen

Configure an Action Rule

If the default action rule does not meet your needs, you can disable or delete it and configure a new one. To create your own customized action rule, navigate to Settings > Action Rules and follow the steps below:

1. Click Add Action Rule in the top right corner of the screen
   1. Name: Give your action rule a descriptive name so you can easily identify it
      • This name is used to identify the action rule in the Message Logs screen
   2. Description:  (Optional) Add more details about the action rule's purpose
   3. Rule: Define the conditions for your action rule here, using the autocomplete feature; click Validate to confirm that your rule is set up correctly
      1. See How to Build a Rule Expression below for additional guidance
   4. Actions > Select an action: Choose the actions to be taken when the rule conditions are met (e.g., quarantine the email, send a notification, etc.)
   5. Check whether or not you want the action rule to stop checking any other configured action rules when the conditions of this one match
   6. Check whether or not you want to enable this action rule
2. Click Save

Tips for Creating Effective Action Rules

Things to keep in mind when creating an action rule:

• Action Rule Order
  • All action rules are executed in the order in which they appear
  • After you create your rules, make sure to verify that they are in the appropriate order

• Rule Expression Editor
  • The rule expression editor uses a free-form text field that utilizes autocomplete
    • Click See Documentation to find examples and rule templates that can be inserted directly into the rule editor
  • Click the Validate button to verify that your rule is correctly formatted

• Actions
  • There can be more than one action for a policy
  • After adding the desired actions, click the check mark to add it to the policy

How to Build a Rule Expression

Rule Expressions are like instructions that tell VIPRE Integrated Email Security what to look for when analyzing your emails. We create these instructions using the following way to write conditions:

Basic Examples

• Checking for suspicious emails: analysis.verdict == "SUSPICIOUS"
  • This rule checks if our system has flagged the email as suspicious
• Checking for emails with high severity: analysis.severity == "HIGH"
  • This rule checks if the email has been flagged as high severity

Building Blocks

Here are some of the "Rule Expression building blocks" you can use:

• analysis.severity: This allows you to check for the severity of the email.
  • Values include: CRITICAL, HIGH, MEDIUM, LOW, INFO
• analysis.verdict: This allows you to check for the verdict of the email.
  • Values include: MALICIOUS, SUSPICIOUS, WHITELISTED, CLEAN
• analysis.detections: This allows you to check what the scan engines found.
  • analysis.detections.severity: Values include: CRITICAL, HIGH, MEDIUM, LOW, INFO
  • analysis.detections.verdict: Values include: MALICIOUS, SUSPICIOUS, WHITELISTED, CLEAN
  • analysis.detections.engine: Values include: VIPRE AV, VIPRE AntiSpam, VIPRE URL Scan, BEC, etc.
• source_context.mode:This allows you to check for messages based on email source mode
  • Values include: MONITORING, INLINE
• source_context.type: This allows you to check for messages based on email source type
  • Values include: O365, IMAP

Checking for Multiple Conditions within an Email’s Analysis

Sometimes you need to check for more than one thing. For example, to check if an email is suspicious and was flagged by the "BEC" engine, you can use:

analysis.verdict == "SUSPICIOUS" and any(analysis.detections, {.engine == "BEC"})

• any(): This part of the rule checks if at least one of the scan engines found something
  • In the example above, it's checking if the "BEC" engine has detected something

Need help?

If you need assistance, please submit a request to our Support team. A Support Technician will contact you promptly.