Hi there! I'm on a quest to get ePO to correctly throttle virus notificaiton emails. Previously we did no throttling at any of our sites, but that's not a good idea of course.
What I am hoping to accomplish is to recieve some email notification to a specific distribution list about each and every malware detection. Our company is small enough that this is OK. But I want to make sure at most we get such notifications once every 20 seconds, or some other sane setting.
I've tried various settings and they all have the same result - events are all reported, but not in a timely way - they are offset. You'll see what I mean.
I'm running ePO 4.5 patch 1.
So for example, I have a notification rule defined at My Organization (the root) for the two threat categories Malware detected and Malware detected using heuristics. This gives us all virus notifications.
Then I trigger this response for every event, but under throttling I choose "at most, trigger this response once every 5 minutes". Those are the only two things checked under the Aggregation heading in the response builder.
Then I go to the eicar page and download the test file a bunch of times, and send the events off to the ePO server.
Here I see three events make it to the ePO server. In the threat event log they are generated at 6:10:51, 6:10:55, 6:10:58 (UTC)
However, when the mail comes in shortly afterward, I get
05/17/10 17:45:40 UTC, 05/17/10 17:45:44 UTC, 05/17/10 17:45:48 UTC, 05/17/10 18:10:51 UTC
This seems to be some of the earlier test events that I didn't get a notification for with this rule, but the final one is the first one of this group.
I'm not sure what I'm doing wrong here, but this seems to be the way this goes, no matter how I set the throttling, and whether or not I mess with aggregation settings.
if I run the test again, I'll get the 6:10:55 and 6:10:58 events in the next email, along wiht part of the group I'd expect to get mailed about.
The issue here would be that nobody is notified of some of the events until more events happen down the road. The notifications don't seem to be timely with these settings.
Can anyone offer some advice?
I don't think you are doing anything wrong here. The setting says "at most, trigger this response once every 5 minutes"
So, the first eicar detection triggers the response. Any events waiting are sent. In this case that would be a few older ones and the first eicar.
I bet if you waited another 5 minutes and triggered another response you would get the remaining two (6:10:55, 6:10:58) plus the new one.
The important thing here is that throttling means a reduction in the events being sent in real-time.
Any events which occur after the first and inbetween those 5 minute intervals are in effect queued up for the next event triggered *after* the 5 minutes has expired.
At least that's my understanding