I am trying to configure email alerts anytime someone downloads a specific file type (i.e. zip, msi, exe). I need some help with setting this up. Should it be set up:
1) As an event on a specific rule? For instance I am able to create an event using Set User-Defined.Email and I can get email alerts every time a site is blocked. I have no issue using this approach for downloads but I'm not sure what rule this event(s) should go on.
2) Or should it be set up using the Incident Mapping: https://community.mcafee.com/docs/DOC-4837
If I go route 2 I'm not sure what incident IDs I should be using. According to the chart there are 2 different ranges:
Media type filtering incidents
Media type filtering incidents
I can't find any other information on the specifics of those ranges however.
Any help would be appreciated, thanks!
You would do this in the rules when you block a file (not in the error handler).
You would not do this using Incidents in the Error Handler. Incidents are automated checks performed by the MWG they are not related to user transactions. Errors (events related to the "Error.Id") ARE related to user transactions, but only trigger when there is a problem (like when AV engine fails to load, or when an ICAP server is not available).
So, you could do this under Global Media Type Filtering > Block Download Media Types, then on the rules where you block / continue you can just configure it to send an email alert, just like you do when a user gets blocked by URL filtering.
So here's what I setup just to test to make sure the emails are coming through correctly:
Does this look right? Everything with it seems to be good except the Download Allowed is generating 2 email each time.
Could you take a wider screenshot to include the ruleset criteria?
The number of emails you get depends on the type of object you are scanning. Keep in mind MWG runs through the rule engine in cycles (request, response, embedded).
Your rules may be matching for request and response, or possibly embedded.
As for the criteria for Download Media Types it's still at the default: Cycle.TopName equals "Response. Here is a larger screenshot:
I've added a little more to the event rules but it still looks like it's triggering too much. For instance I got an email for "Download Blocked" and the url was: http://thumb10.shutterstock.com/photos/thumb_large/941662/143535532.jpg
We are not blocking jpgs and from a test default account I was able to get to that no problem.
Oops - Copy rule got me...I forgot to change the subject for the Allowed.
What criteria would I use for the Downloads Allowed so that it would only trigger for types that I specify? (Executables, Videos, etc)
Ok, looks like I got the criteria figured out: MediaType.FromFileExtension at least one in list
With a test download of an excel file it still sent 2 emails. I'm assuming from the click to download, then the actual save as? Anyway to keep this at 1 email?
from a quick look at your rules I would add more criteria to stick the eMail rule to the correct cycle. From what I see it could send you a lot of eMails fo reach embedded cycle run, which is probably not what you want :-) You should try something like "Cycle.Name equals Response".
The rule engine tracing which is now part of MWG should help to better understand why the rule is executed twice and to find the criteria that needs to be excluded to prevent this from happening.