Host Intrusion Prevention notifications

Host Intrusion Prevention supports the following product-specific notification categories:

Notifications can be configured only for all or none of the Host (or Network) IPS signatures. Entercept 5.x supported notifications based on sets of signature IDs or individual severity levels. Host Intrusion Prevention supports the specification of a single IPS signature ID as the Threat Name or Rule Name field in the notification rule configuration. By internally mapping the signature ID attribute of an event to the threat name, a rule is created to uniquely identify an IPS signature.

The specific mappings of Host Intrusion Prevention parameters allowed in the subject/body of a message include:

Parameters
Host and Network IPS Events Values
Blocked Application Event Values
Quarantine Event Values
ReceivedThreatNames
SignatureID
none
none
SourceComputers
Remote IP address
computer name
computer name
AffectedObjects
Process Name
Application name
IP address of computer
EventTimestamp
Incident time
Incident time
Incident time
EventID
ePO mapping of event ID
ePO mapping of event ID
ePO mapping of event ID
AdditionalInformation
Localized Signature Name (from client computer)
Application full path
none

Copyright © 2006 McAfee, Inc. All Rights Reserved.