Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1591
Views
5
Helpful
5
Replies

Limit notificatons?

andreas.deland
Level 1
Level 1

‎02-24-2020 05:14 AM

Hello

 

Are running the following filter for outgoing high volume mailes

 

Highvolume: if header-repeats('mail-from', 500, 'outgoing') {
                notify ("email@xxx.com");

 

Is it possible to limit the amout of notifications you get from the ESA?  As for now it seems like i get one notification for every time the filter get triggered..

 

Any suggestions are appreciated

 

//Andreas

 

Labels:
5 Replies 5

tsilveruits
Level 1
Level 1

‎02-24-2020 08:04 AM

As far as I know, it is not possible to limit these notifications to one for a set time period on the ESAs, such as once per 10 minutes, half hour, hour, etc. which would be a nice feature. We had an outgoing content filter that triggered on numerous emails and sent us numerous notifications. So, we now have a 'swatch' program running on our Syslog server that handles the notifications now. If you've never used 'swatch' before, it's pretty easy to understand with a little scripting and regex knowledge.

0 Helpful

marc.luescherFRE
Spotlight
Spotlight

‎02-25-2020 06:37 AM

This feature is currently not available for message or content filters and has been requested in the past.

0 Helpful

charella
Cisco Employee
Cisco Employee

‎02-25-2020 11:13 AM

Andreas.deland,



You wrote: We are running the following filter for outgoing high volume mailes

Highvolume: if header-repeats('mail-from', 500, 'outgoing') {
notify ("email@xxx.com");

This appears to be working as designed. Notification from a message filter is different than an alert notification.

It’s simply matching, then sending a mail to the recipient.



What are you trying to achieve with this filter?

To capture users who send out a large volume of mail yes?

You could change the number, increasing to a higher number 800 or 1000.

You could add a second condition which makes it match less frequently.
if (header-repeats('mail-from', 13,'outgoing') And (body-size > 1M)

That’s an example, you can refer to the filter rules in the user guide to match your scenario,

Thank you,
Chris
0 Helpful

andreas.deland
Level 1
Level 1
In response to charella

‎02-26-2020 04:32 AM

Hello

I just want to find out  when some one internal sending massmail, for example with an compromised account or virus.

Sure the value may be a litle low.

 

Regards

//Andreas

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to andreas.deland

‎02-26-2020 07:06 AM

Hi,

 

   ESA does not support summarisation of such notifications.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents