cancel
Showing results for 
Search instead for 
Did you mean: 
bec3
Level 9

Mcafee ATD notification

Jump to solution

Dears,

is there a way to send a notification email when ATD find a malicious file?

0 Kudos
1 Solution

Accepted Solutions
bretzeli
Level 11

Re: Mcafee ATD notification

Jump to solution

Hello,

a) ATD: Sadly No you CAN only send a THREAT allert with absolute no info you can USE from reports OR automatic answer. There is INFO under: ATD Event Log Information of the TREATH in EPO but you simply can't use it in standard reports. Maybe possible if you use the EPO-API or direct on the SQL tables.

b) Sending E-Mail from ATD: We are sadly dissapointed that they where unable to INTEGRATE that into release 4.0. There has been a MCAFEE IDEA posted from several people for that. They have the E-Mail/SMTP module so sending an E-Mail should not be a problem. It's three lines of code anyway so why not?. BUT maybe if you buy such a XX-Dollar thing they think you have SIEM (Splunk) or large syslog servers in place with reporting etc.

c) TIE: Yes for the TIE you can send such an E-mail play around with and EVENT (Threat) you see in EPO and try to build and automatic Respone.

Heres is a sample from ENS 10.5 and TIE. We send an alert when something is blocked.

Info we get BACK from ATD to EPO sample:

0 Kudos
10 Replies
d_aloy
Level 12

Re: Mcafee ATD notification

Jump to solution

Hi bec3

Nope - you can't configure or send email notifications from ATD. You could however syslog the analysis results out to a SIEM/syslog server and configure email notifications there.

Regards

David

0 Kudos
bec3
Level 9

Re: Mcafee ATD notification

Jump to solution

Thanks David for the quick response,

okay, what about TIE? can we send notification from TIE when a bad reputation found?

0 Kudos
d_aloy
Level 12

Re: Mcafee ATD notification

Jump to solution

No worries bec3

For TIE, I'm not 100 % sure...

I could check the product guide to confirm it..but since TIE is fully integrated with ePO, I'm pretty sure you can email out notifications for specific TIE events from ePO.

Regards

David

0 Kudos
bretzeli
Level 11

Re: Mcafee ATD notification

Jump to solution

Hello,

a) ATD: Sadly No you CAN only send a THREAT allert with absolute no info you can USE from reports OR automatic answer. There is INFO under: ATD Event Log Information of the TREATH in EPO but you simply can't use it in standard reports. Maybe possible if you use the EPO-API or direct on the SQL tables.

b) Sending E-Mail from ATD: We are sadly dissapointed that they where unable to INTEGRATE that into release 4.0. There has been a MCAFEE IDEA posted from several people for that. They have the E-Mail/SMTP module so sending an E-Mail should not be a problem. It's three lines of code anyway so why not?. BUT maybe if you buy such a XX-Dollar thing they think you have SIEM (Splunk) or large syslog servers in place with reporting etc.

c) TIE: Yes for the TIE you can send such an E-mail play around with and EVENT (Threat) you see in EPO and try to build and automatic Respone.

Heres is a sample from ENS 10.5 and TIE. We send an alert when something is blocked.

Info we get BACK from ATD to EPO sample:

0 Kudos
woody188
Level 10

Re: Mcafee ATD notification

Jump to solution

This is highly disappointing. So the information is there but you'll need a SIEM to get at it. Just great.

0 Kudos
d_aloy
Level 12

Re: Mcafee ATD notification

Jump to solution

Maybe another option would be to use the ATD API and script a scheduled check that will trigger an email out based on the threat level of the file inspected? And maybe even add some of the report details... But haven't used the ATD API do not sure how much I do you could pull that way and automate the email notification.

Regards

David

0 Kudos
woody188
Level 10

Re: Mcafee ATD notification

Jump to solution

Appreciate it, but we're moving forward with a SIEM product anyhow.

0 Kudos
rama2209
Level 7

Re: Mcafee ATD notification

Jump to solution

Could you please help me to understand this issue. What is this threat message about to.

0 Kudos
rama2209
Level 7

Re: Mcafee ATD notification

Jump to solution

So anyone could explain what is the cause of this event where threat_name is "atd_detected_threat", Threat Category is "malware" and threat handled is "no".

Signature ID:357-36725 , Normalize ID:1344274432 , Event ID:110537401683

Is it a real threat or issue of ePO/ATD.

What is this issue exactly ?

0 Kudos