Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
1
Replies

MARS - Email Alerts as Triggered?

Go to solution
jnlawrence76
Level 1
Level 1

‎02-03-2011 07:44 AM

Is there a way to setup reports to send alerts/reports as soon as something triggers an alert rather than send out every minute/hour/day?  So say as soon as MARS sees a P2P session, it will send an alert off to me.

Thanks in Advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mwinnett
Level 3
Level 3

‎02-08-2011 02:30 AM

If you locate the report "Activity: P2P Filesharing/Chat - All Events" then you will see the event tyope as

Info/UncommonTraffic/P2PFileShare, Info/UncommonTraffic/P2PFileShare/FileTransfer,
Info/UncommonTraffic/Chat, Info/UncommonTraffic/Chat/FileTransfer, Info/UncommonTraffic/Chat/Proxy

You can then make a query, "all event raw messages". Under event, one at a time locate the 5 event types listed above and select all of the events listed for each (eg: Yahoo messag=nger missing URL, Yahoo instant messanger file transfer...etc). Cick apply and then "save as rule". You can then configure the rule as required. eg: limit to specific source/.dest subnets. Specifiy the action as email. If you want to be alerted for each and every occurrence, then you should set the time to something short like 1 minute. You can review the list of events and remove any that might not be applicable.

Matthew

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mwinnett
Level 3
Level 3

‎02-08-2011 02:30 AM

If you locate the report "Activity: P2P Filesharing/Chat - All Events" then you will see the event tyope as

Info/UncommonTraffic/P2PFileShare, Info/UncommonTraffic/P2PFileShare/FileTransfer,
Info/UncommonTraffic/Chat, Info/UncommonTraffic/Chat/FileTransfer, Info/UncommonTraffic/Chat/Proxy

You can then make a query, "all event raw messages". Under event, one at a time locate the 5 event types listed above and select all of the events listed for each (eg: Yahoo messag=nger missing URL, Yahoo instant messanger file transfer...etc). Cick apply and then "save as rule". You can then configure the rule as required. eg: limit to specific source/.dest subnets. Specifiy the action as email. If you want to be alerted for each and every occurrence, then you should set the time to something short like 1 minute. You can review the list of events and remove any that might not be applicable.

Matthew

0 Helpful
Customers Also Viewed These Support Documents