1 2 Previous Next 10 Replies Latest reply on Aug 15, 2013 6:29 AM by otruniger

    Email alerts for downloads

    nate.hall

      I am trying to configure email alerts anytime someone downloads a specific file type (i.e. zip, msi, exe). I need some help with setting this up. Should it be set up:

       

      1) As an event on a specific rule? For instance I am able to create an event using Set User-Defined.Email and I can get email alerts every time a site is blocked. I have no issue using this approach for downloads but I'm not sure what rule this event(s) should go on.

       

      2) Or should it be set up using the Incident Mapping: https://community.mcafee.com/docs/DOC-4837

       

      If I go route 2 I'm not sure what incident IDs I should be using. According to the chart there are 2 different ranges:

       

      1400-1499

      Media type filtering incidents

       

      2100-2199

      Media type filtering incidents


      I can't find any other information on the specifics of those ranges however.

       

      Any help would be appreciated, thanks!

        • 1. Re: Email alerts for downloads
          Jon Scholten

          You would do this in the rules when you block a file (not in the error handler).

           

          You would not do this using Incidents in the Error Handler. Incidents are automated checks performed by the MWG they are not related to user transactions. Errors (events related to the "Error.Id") ARE related to user transactions, but only trigger when there is a problem (like when AV engine fails to load, or when an ICAP server is not available).

           

          So, you could do this under Global Media Type Filtering > Block Download Media Types, then on the rules where you block / continue you can just configure it to send an email alert, just like you do when a user gets blocked by URL filtering.

           

          Best,

          Jon

          • 2. Re: Email alerts for downloads
            nate.hall

            Thanks Jon!

             

            So here's what I setup just to test to make sure the emails are coming through correctly:

             

            MWG Download Alerts.png

             

            Does this look right? Everything with it seems to be good except the Download Allowed is generating 2 email each time.

            • 3. Re: Email alerts for downloads
              Jon Scholten

              Could you take a wider screenshot to include the ruleset criteria?

               

              The number of emails you get depends on the type of object you are scanning. Keep in mind MWG runs through the rule engine in cycles (request, response, embedded).

               

              Your rules may be matching for request and response, or possibly embedded.

               

              Best,

              Jon

              • 4. Re: Email alerts for downloads
                Jon Scholten

                The rules do look good, btw, just need refining to get the message you want (but you already know that).

                • 5. Re: Email alerts for downloads
                  nate.hall

                  As for the criteria for Download Media Types it's still at the default: Cycle.TopName equals "Response. Here is a larger screenshot:

                   

                  Rules.jpg

                   

                  I've added a little more to the event rules but it still looks like it's triggering too much. For instance I got an email for "Download Blocked" and the url was: http://thumb10.shutterstock.com/photos/thumb_large/941662/143535532.jpg

                   

                  We are not blocking jpgs and from a test default account I was able to get to that no problem.

                  • 6. Re: Email alerts for downloads
                    Jon Scholten

                    Yeah, but you have the subject line to say that it was blocked, but it was not.

                     

                    Your second rule applies always.

                     

                    Best,

                    Jon

                    • 7. Re: Email alerts for downloads
                      nate.hall

                      Oops - Copy rule got me...I forgot to change the subject for the Allowed.

                       

                      What criteria would I use for the Downloads Allowed so that it would only trigger for types that I specify? (Executables, Videos, etc)

                      • 8. Re: Email alerts for downloads
                        nate.hall

                        Ok, looks like I got the criteria figured out: MediaType.FromFileExtension at least one in list

                         

                        With a test download of an excel file it still sent 2 emails. I'm assuming from the click to download, then the actual save as? Anyway to keep this at 1 email?

                        • 9. Re: Email alerts for downloads
                          asabban

                          Hello,

                           

                          from a quick look at your rules I would add more criteria to stick the eMail rule to the correct cycle. From what I see it could send you a lot of eMails fo reach embedded cycle run, which is probably not what you want :-) You should try something like "Cycle.Name equals Response".

                           

                          The rule engine tracing which is now part of MWG should help to better understand why the rule is executed twice and to find the criteria that needs to be excluded to prevent this from happening.

                           

                          Best,

                          Andre

                          1 2 Previous Next