Phish Focus : Exception List

Overview

The Exception List in Phish Focus gives you the ability to define custom rules that override scan results for specific attributes found in reported emails. 

This can be useful for reducing false positives or negatives and for fine-tuning how your organisation classifies threats.

With the Exception List Admins can:

• Create override rules for six attribute types: URL, Domain, Sender Domain, IP, DNS, Email Address, and File Hash
• Set the overridden result to No Threat, Threat Detected, or Undetermined for each entry
• Use wildcard matching (*) to match partial values (e.g. *example.com*)
• Activate or deactivate entries at any time without deleting them

How to Configure

1. Log into the Phish Focus Platform.
2. Expand Setting and Select 'Exception List'
   
3. Select 'New Entry
   

4. Then you will,

   1. Select the exception Type (URL, Domain, Sender Domain, IP, DNS, Email Address, and File Hash).
   2. Select what you want it to be flagged as (Threat, Clean, Undetermined).
   3. Add value/s you want to add.
   4. Add the description notes for the exception.
   5. Choose if you want the exception to be active.
   6. Select Save
      

    

    Important Notes :

   1. If you select the rule to be active it will apply to any future emails reported.
   2. If an exception has been applied to an element within the email, it will be reflected in the Scan Results giving analysts clear visibility into which results have been adjusted by an exception rule. 
      
5. From here, you can view the exception in the list of all other exceptions created.
   As an Admin you can :
   • See the respective note/s
   • See who created it 
   • Enable / Disable it.