1 2 Previous Next 13 Replies Latest reply on Jun 29, 2009 6:18 AM by Johonn

    E-mail alerts - share and discuss your scripts!

      I'm not happy with the alerts that we currently have in use and I'm not having much luck configuring them the way I want them. I figured it might be cool if people posted the syntax for their alerts and how they end up coming out, so that maybe other users like myself could some away with some useful ideas.

      For example: We have an alert setup that will e-mail us if detections are found and not removed if they involve at least one host, and there are at least two detections. So our syntax looks like this:

      Affected Computer Names: {AffectedComputerNames}
      Source of Infection(s): {SourceComputers}
      ePolicy Orchestrator Notification Rule: {NotificationRuleName}
      Rule Defined At: {BranchNodePath}
      Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

      Number of events: {ReceivedNumEvents}
      Source computer IP addresses: {SourceComputers}
      Actual threat names: {ReceivedThreatNames}
      Actual products: {ReceivedProductFamilies}

      The e-mail that is generated looks like this:
      ---------------------------------------
      Affected Computer Names: LAPTOP1
      Source of Infection(s): Not Available
      ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
      Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

      Number of events: 71
      Source computer IP addresses: Not Available Actual threat names: Generic Downloader.dp Actual products: VirusScan
      -----------------------------------------

      So it lets us know there's a problem, but I don't feel like I'm getting as much information as I probably could be. Anyways, I'd love to see some alerts from others - post em' if you got em'.
        • 2. RE: E-mail alerts - share and discuss your scripts!
          We had the same problem you seem to be having. It would say that something was found but never list any details and often times it would list 'full scan' as the source of the infection. There is a a KB article that tells how to fix it and I am trying to find it what I did with it.
          • 3. RE: E-mail alerts - share and discuss your scripts!
            Well let me know if you're able to dig anything up, or if you'd be willing to post what you guys are currently using that would be awesome too.

            I'm kind of surprised there isn't more interest in this topic. It's either incredibly easy or people just aren't that interested in e-mail alerts.
            • 4. RE: E-mail alerts - share and discuss your scripts!
              rwhitehill
              Here is how my email alert to the help desk is setup. I replaced computer names and user names with RED.

              While I don't feel it is adequate, it does let the help desk know there is probably something wrong and to do a 3rd party (usually malwarebytes) scan. I suggest you add in every tag available, and then remove the ones you don't feel are necessary. Anyway, my 2 cents.

              Subject:
              Possible Virus problem on {AffectedComputerNames}
              Body:
              Actual number of events: {ReceivedNumEvents}
              Source Systems: {SourceComputers}
              Actual number of systems: {ReceivedNumComputers}
              IP Address {AffectedComputerIPs}
              First Event Time: {FirstEventTime}
              Event Description: {EventDescriptions}
              Event ID: {EventIDs}
              Additional Information: {AdditionalInformation}
              Affected systems names: {AffectedComputerNames}
              Affected Objects: {AffectedObjects}
              Time notification sent: {TimeNotificationSent}

              It looks like this:

              Subject:Possible Virus problem on (COMPUTER NAME)

              Actual number of events: 5
              Source Systems: Not Available
              Actual number of systems: 1

              IP Address 192.168.X.X
              First Event Time: 6/10/09 10:00:38 AM
              Event Description: Infected file deleted., file infected. Undetermined clean error, deleted successfully Event ID: 1027, 1280

              Additional Information: 3
              Affected systems names: (COMPUTER NAME)
              Affected Objects: C:\Documents and Settings\USERNAME\Local Settings\Temporary Internet Files\Content.IE5\XZ57JBIN\install[1].exe, C:\Documents and Settings\USERNAME\Local Settings\Temporary Internet Files\Content.IE5\O3BC6FCO\index[1].htm\00000122.js, C:\DOCUMENTS AND SETTINGS\USERNAME\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XZ57JBIN\INSTALL[1].EXE

              Time notification sent: 6/11/09 10:00:38 AM
              • 5. RE: E-mail alerts - share and discuss your scripts!
                I am pretty close to rwhitehill too. I added a little details sections because i found that laptops that were off site would report back in and start to send off alerts. Knowing the time of event lets us know how old it is. This is all because Mcafee does not care when the event was created just when it was received by ePO.

                I also added "{AffectedObjects}" because alot of times the filepath will be in the users directory and i can see exactly who it was without going else where. However, it can be kind of long if a machine is infected real good.


                Subject: {NotificationRuleName}


                Actions Taken: {ReceivedEventCategories}
                Event Description: {EventDescriptions}
                Effected Computer(s): {AffectedComputerNames}
                Ip Address: {AffectedComputerIPs}
                Number of Computers: {ReceivedNumComputers}
                Number of Events: {ReceivedNumEvents}
                Threat Names: {ReceivedThreatNames}
                Affected Files: {AffectedObjects}


                Alert Details:

                Notification Rule: {NotificationRuleName}
                Time of Event: {FirstEventTime}
                Notification Location: {SiteNodeName}

                This report is only sent at most every two hours when the Events exceed 20.




                Looks like:


                Subject: Virus Alert - Removed

                Actions Taken: Unwanted program detected and removed
                Event Description: Unwanted program, clean error, deleted, Unwanted program deleted.
                Effected Computer(s): (COMPUTERNAME)
                Ip Address: 192.168.2.2
                Number of Computers: 1
                Number of Events: 29
                Threat Names: Downloader-ABJ
                Affected Files: (FILE PATH)


                Alert Details:

                Notification Rule: Virus Alert - Removed
                Time of Event: 6/12/09 9:08:25 AM
                Notification Location: Workstations

                This report is only sent at most every two hours when the Events exceed 20.
                • 6. RE: E-mail alerts - share and discuss your scripts!
                  Johonn, so if your threshold is set to >20 events - how do you deal with a machine that has a file that can't be cleaned and constantly reinfects itself? In theory, wouldn't you never receive an alert on a machine like this?
                  • 7. RE: E-mail alerts - share and discuss your scripts!
                    This may be a diversion of topic, but is there any possible way to get usernames onto notifications?
                    • 8. RE: E-mail alerts - share and discuss your scripts!
                      rwhitehill
                      I left this out of mine, but for frequency I use:

                      Send a notification for every event (Is enabled)

                      At most, send a notification every: 1 day

                      So, the Help Desk will get an email for any issue, and only one per day.

                      --

                      As far as username, I don't see a variable which gives this information. This is why I make sure the computer name is listed as I can easily look up that information.
                      • 9. RE: E-mail alerts - share and discuss your scripts!
                        Mindcrime,

                        I actually have another alert setup with different filters that alert us to every virus that can not be removed. The one i posted was for successful removal only. Basically i have found if it is more then 15 they have some spyware that we need to address.
                        1 2 Previous Next