FIG. 25 depicts an interface 1300 for creating new rules. Parameters for rules can include some or all of: a name 1310, a description, a severity value 1320, a priority value, rule content 1330 (e.g., YARA rule), a scope, and a status (active/inactive). For exemplary purposes, the priority value may be any number from “1” to “5”, where the higher the number the higher priority. Further, a “1” may identify an internal email that is a non-threat. New rules are created as inactive by default. Any inactive rule will not be run on any incoming reported message or cluster. A user must change the status of the rule to active to enable the rule to run on reports. The administrator may change the scope by setting the rule to be matched against the message or against the attachment 1340. Rules may also reference other rules, but must have the same scope (i.e. all must either match against the message or the attachment).
