7 Replies Latest reply on Aug 17, 2017 1:41 PM by woody188

    Mcafee ATD notification

    bec3

      Dears,

       

      is there a way to send a notification email when ATD find a malicious file?

        • 1. Re: Mcafee ATD notification
          d_aloy

          Hi bec3

           

          Nope - you can't configure or send email notifications from ATD. You could however syslog the analysis results out to a SIEM/syslog server and configure email notifications there.

           

          Regards

          David

          • 2. Re: Mcafee ATD notification
            bec3

            Thanks David for the quick response,

             

             

            okay, what about TIE? can we send notification from TIE when a bad reputation found?

            • 3. Re: Mcafee ATD notification
              d_aloy

               

               

              No worries bec3

               

              For TIE, I'm not 100 % sure...

              I could check the product guide to confirm it..but since TIE is fully integrated with ePO, I'm pretty sure you can email out notifications for specific TIE events from ePO.

               

              Regards

              David

              • 4. Re: Mcafee ATD notification
                bretzeli

                Hello,

                 

                a) ATD: Sadly No you CAN only send a THREAT allert with absolute no info you can USE from reports OR automatic answer. There is INFO under: ATD Event Log Information of the TREATH in EPO but you simply can't use it in standard reports. Maybe possible if you use the EPO-API or direct on the SQL tables.

                b) Sending E-Mail from ATD: We are sadly dissapointed that they where unable to INTEGRATE that into release 4.0. There has been a MCAFEE IDEA posted from several people for that. They have the E-Mail/SMTP module so sending an E-Mail should not be a problem. It's three lines of code anyway so why not?. BUT maybe if you buy such a XX-Dollar thing they think you have SIEM (Splunk) or large syslog servers in place with reporting etc.

                c) TIE: Yes for the TIE you can send such an E-mail play around with and EVENT (Threat) you see in EPO and try to build and automatic Respone.

                 

                Heres is a sample from ENS 10.5 and TIE. We send an alert when something is blocked.

                Info we get BACK from ATD to EPO sample:

                 

                • 5. Re: Mcafee ATD notification
                  woody188

                  This is highly disappointing. So the information is there but you'll need a SIEM to get at it. Just great.

                  • 6. Re: Mcafee ATD notification
                    d_aloy

                    Maybe another option would be to use the ATD API and script a scheduled check that will trigger an email out based on the threat level of the file inspected? And maybe even add some of the report details... But haven't used the ATD API do not sure how much I do you could pull that way and automate the email notification.

                     

                    Regards

                    David

                    • 7. Re: Mcafee ATD notification
                      woody188

                      Appreciate it, but we're moving forward with a SIEM product anyhow.