Hi All,
How can i change the body of the action email.send to have some meaningfull variables?
i can choose a single propeerty and it works but when i try to put variables like "URL" or $URL$ in the string value i get the text and not the url link?
10x in advance for your advises
Shay
Message was edited by: sysec on 1/4/12 2:34:41 AM CSTSolved! Go to Solution.
Create a string that has the contents you want in it, like:
Name:
Malware Email Alert
Rule Criteria:
Antimalware.Infected<Gateway Anti-Malware> equals true
Action:
Continue
Events:
Set User-Defined.notificationMessage = "Date: "
+ DateTime.ToWebReporterString
+ String.CRLF
+ "User: "
+ Authentication.UserName
+ String.CRLF
+ "Client.IP: "
+ IP.ToString (Client.IP)
+ String.CRLF
+ "URL: "
+ String.ReplaceAll (URL, "http", "hXXp")
+ String.CRLF
Email.Send ("Security@MyDommain.com", String.Concat ("Virus Alert from: ", System.HostName), User-Defined.notificationMessage)<Default>
NOTE: I am replacing the http with hXXp in a URL that is sent via email. We typically do this to make it unclickable in the email. In the case of a virus alert like this, the URL is malicious and we don't want someone to blindly click it to try it out.
Create a string that has the contents you want in it, like:
Name:
Malware Email Alert
Rule Criteria:
Antimalware.Infected<Gateway Anti-Malware> equals true
Action:
Continue
Events:
Set User-Defined.notificationMessage = "Date: "
+ DateTime.ToWebReporterString
+ String.CRLF
+ "User: "
+ Authentication.UserName
+ String.CRLF
+ "Client.IP: "
+ IP.ToString (Client.IP)
+ String.CRLF
+ "URL: "
+ String.ReplaceAll (URL, "http", "hXXp")
+ String.CRLF
Email.Send ("Security@MyDommain.com", String.Concat ("Virus Alert from: ", System.HostName), User-Defined.notificationMessage)<Default>
NOTE: I am replacing the http with hXXp in a URL that is sent via email. We typically do this to make it unclickable in the email. In the case of a virus alert like this, the URL is malicious and we don't want someone to blindly click it to try it out.
10x eelsasser
it totally works
Hello and thank you for this post. I have a very similar requirement to have emails sent after a rule has been triggered. Using your previous guidance in this post, we have been able to get it working. However we would like to add in the email the name of the system or host also if possible.
Does this functionality exist? If so how should we proceed?
Thank you,
Hello watarimono,
MWG has a property called System.HostName that contains the name of the system. If you include this in the notification message you should be good to go.
Regards,
Dirk
Thank you Dirk,
We were playing around with the System.HostName but it just gives us the name of the Webgateway. Are we missing something to have it pull the name of the workstation?
Hi watarimono!
System.Hostname does what you found, it represents the name of the Web Gateway.
To get the client workstation name (which I dont like doing because it assumes a lot of your network and DNS servers) it is a bit tougher, but not by much.
You can use the property:
DNS.LookupReverse(Client.IP)
This will perform a reverse lookup of the client IP, WHICH MEANS YOU MUST HAVE DNS SETUP CORRECTLY OTHERWISE IT WILL NOT WORK.
I dont like using reverse lookups because often DNS servers are not configured correctly to do reverse properly.
Best Regards,
Jon
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA