cancel
Showing results for 
Search instead for 
Did you mean: 
nate.hall
Level 9

Email alerts for downloads

I am trying to configure email alerts anytime someone downloads a specific file type (i.e. zip, msi, exe). I need some help with setting this up. Should it be set up:

1) As an event on a specific rule? For instance I am able to create an event using Set User-Defined.Email and I can get email alerts every time a site is blocked. I have no issue using this approach for downloads but I'm not sure what rule this event(s) should go on.

2) Or should it be set up using the Incident Mapping: https://community.mcafee.com/docs/DOC-4837

If I go route 2 I'm not sure what incident IDs I should be using. According to the chart there are 2 different ranges:

1400-1499

Media type filtering incidents

2100-2199

Media type filtering incidents


I can't find any other information on the specifics of those ranges however.

Any help would be appreciated, thanks!

0 Kudos
10 Replies
McAfee Employee

Re: Email alerts for downloads

You would do this in the rules when you block a file (not in the error handler).

You would not do this using Incidents in the Error Handler. Incidents are automated checks performed by the MWG they are not related to user transactions. Errors (events related to the "Error.Id") ARE related to user transactions, but only trigger when there is a problem (like when AV engine fails to load, or when an ICAP server is not available).

So, you could do this under Global Media Type Filtering > Block Download Media Types, then on the rules where you block / continue you can just configure it to send an email alert, just like you do when a user gets blocked by URL filtering.

Best,

Jon

0 Kudos
nate.hall
Level 9

Re: Email alerts for downloads

Thanks Jon!

So here's what I setup just to test to make sure the emails are coming through correctly:

MWG Download Alerts.png

Does this look right? Everything with it seems to be good except the Download Allowed is generating 2 email each time.

0 Kudos
McAfee Employee

Re: Email alerts for downloads

Could you take a wider screenshot to include the ruleset criteria?

The number of emails you get depends on the type of object you are scanning. Keep in mind MWG runs through the rule engine in cycles (request, response, embedded).

Your rules may be matching for request and response, or possibly embedded.

Best,

Jon

0 Kudos
McAfee Employee

Re: Email alerts for downloads

The rules do look good, btw, just need refining to get the message you want (but you already know that).

0 Kudos
nate.hall
Level 9

Re: Email alerts for downloads

As for the criteria for Download Media Types it's still at the default: Cycle.TopName equals "Response. Here is a larger screenshot:

Rules.jpg

I've added a little more to the event rules but it still looks like it's triggering too much. For instance I got an email for "Download Blocked" and the url was: http://thumb10.shutterstock.com/photos/thumb_large/941662/143535532.jpg

We are not blocking jpgs and from a test default account I was able to get to that no problem.

0 Kudos
McAfee Employee

Re: Email alerts for downloads

Yeah, but you have the subject line to say that it was blocked, but it was not.

Your second rule applies always.

Best,

Jon

0 Kudos
nate.hall
Level 9

Re: Email alerts for downloads

Oops - Copy rule got me...I forgot to change the subject for the Allowed.

What criteria would I use for the Downloads Allowed so that it would only trigger for types that I specify? (Executables, Videos, etc)

0 Kudos
nate.hall
Level 9

Re: Email alerts for downloads

Ok, looks like I got the criteria figured out: MediaType.FromFileExtension at least one in list

With a test download of an excel file it still sent 2 emails. I'm assuming from the click to download, then the actual save as? Anyway to keep this at 1 email?

0 Kudos
asabban
Level 17

Re: Email alerts for downloads

Hello,

from a quick look at your rules I would add more criteria to stick the eMail rule to the correct cycle. From what I see it could send you a lot of eMails fo reach embedded cycle run, which is probably not what you want :-) You should try something like "Cycle.Name equals Response".

The rule engine tracing which is now part of MWG should help to better understand why the rule is executed twice and to find the criteria that needs to be excluded to prevent this from happening.

Best,

Andre

0 Kudos