====== Start using Screener ====== Now, when the setup is done. It is time to start using the tool. \\ If it is not set up yet, please refer to these articles: \\ [[installing_screener_linux|Install Screener in Linux]] \\ [[installing_screener_vmware|Setup Tutorial for VMware]] \\ [[installing_screener_virtualbox|Setup Tutorial for Virtualbox]] \\ ===== Step 1: Domain and SSL certificate ===== As the first step it is highly recommended to setup [[screener_domain_ssl_configuration|Domain and SSL]]. However, it is not necessary. MSI plugin is able to work with no SSL over IPv4. \\ This step is a must to make O365 plugin operational, it can not operate via IP address. Also, with the domain name configured you can create an MX record for the owned domain name to receive reports over SMTP protocol. At this stage, if an MX record is configured, the Screener is already able to accept the reports. Simply forward a suspicious email as an attachment to the anyname@yourdomain.com. ===== Step 2: Configure the Plugin ===== Configure the plugin in Settings -> Plugins. \\ it is necessary to define, which version is going to be used, [[screener_o365_plugin|O365]] or [[screener_msi_plugin|MSI]]. ===== Step 3: Configure Automatic analyze rules ===== Configure or leave by default [[screener_yara_dictionaries|Yara Dictionaries]]. \\ Configure or leave by default [[yara_rules_screener|Yara Rules]]. \\ Configure or leave by default [[screener_custom_rules|Custom Rules]]. \\ Configure or leave by default Analyzer Score. \\ ===== Step 4: Users ===== [[screener_users|Configure]] additional users if necessary. \\ Each user has equal permissions, but it is possible to configure different timezones per user. \\ ===== Step 5: Deploy the plugin ===== Download and deploy the [[screener_o365_plugin|O365]] or [[screener_msi_plugin|MSI]] plugin. ===== Step 6: Report an incident ===== As soon as installed, a button should appear in the Outlook interface. \\ Simply select a suspicious email in the list and click the button. \\ The suspicious email is reported and now should appear in the Screener Incidents section. \\ Or, it can appear in the "Simulations" sections in case if a LUCY email message was reported. \\ The screener always listens to port 25, so in case if you are planning to report incidents over SMTP, it is enough to create an MX record of the screener domain.\\ For example:\\ There is a domain name screener.com pointing to the instance. Simply use randomemailaddress@screener.com and the Screener will accept the report. ===== Step 7: Review the incident ===== It is possible to review the incoming incidents. \\ The system will do an automatic analysis of an incident as soon as it is received. \\ The automatic scan will happen according to the Analyze rules. It will receive some spam score. \\ The amount of the spam score is unlimited, however, it'll be cut of to 10 since it is a maximum value for an incident.\\ {{ :review_incidents_screener.png?600 |}} ===== Step 8: Define the threat ===== Change the workflow status from Open to In Progress. \\ Define what should be done with the incident. \\ Should a user send an abuse? \\ Should a user rescan the incidents? \\ As soon as the incident is reviewed by a user, it is possible to define the Resolution for the incident. \\ It can be Dangerous or Dismissed. As soon as the Resolution is defined, the workflow status for the incident will be automatically set to "Closed". {{ :scr_incident_workflow.png?600 |}}