This is just a guess, but have you tried configuring the response with "threat event ID equals19015" rather than "threat event ID contains 19015"?
Thanks for the response.
Turns out that the email functionality is actually working. The problem lies in the filter.
I stripped the filter back to the following:
detecting product name = Data Loss Protection
threat type = DEVICE_PLUG
I get email as expected.
Add the following:
threat event ID equals 19015
I got no email.
I tested with:
threat severity equals Critical
Note that the DLP rule is set to block with a severity of Critical, so I would expect my logic to be right here.
the result however, no email. I change the "threat severity" to Alert.
Hey presto, I get email.
I have raised this with McAfee Gold Support who are trying to recreate the symptoms in the test lab.
I will update this post once McAfee get back to me.
Good to know, thanks
McAfee have confirmed the issue described and I have now raised a Product Enhancement Request (PER).