The policy settings in the Patchman backend dictate when a user is notified of actions taken regarding detections of malware and vulnerabilities. Emails are sent every 30 minutes and always group the actions taken in the last 30 minutes. In the case that multiple detections for the same user are not registered in the same half hour window, the user may receive multiple notifications in a short period of time. Actions are only grouped by their action type (i.e. applicable template); users may receive multiple notifications at the same time if different actions were taken.
You can specify the email templates when adding or modifying a policy. Each action can have their own notification email template in all supported Patchman languages.
- Some actions are instructions to the server, for instance the instruction to patch a vulnerability or quarantine malware. You can schedule these actions to automatically take place several hours after a detection. If you set a notification for these kinds of actions, the notification is sent after the action was reported as completed by the server. Note, however, that no notification is sent of any action manually issued through the Patchman web interface.
- The second kind of actions are those that are not instructions to the server and are typically status updates from the server, e.g. when a new detection was made. You can't schedule these, but you can specify in the policy that you want to send a notification when these actions occur.
- Finally, you can send reminders for detections. These can be scheduled and complete automatically after the set amount of hours.
General notification limitations
Notifications are not sent in several cases. These relate to the presence of the email template and the source of the action. Listed below are the exclusion criteria for email notifications:
- Users are never notified of actions taken in the Patchman web interface, independent of who performed this action. Please note that detections resulting from manual scan tasks are not considered manual actions and may result in notifications.
- A user is not notified if there is no valid email address known at the time of notification.
- A user is not notified if there was no appropriate email template present for the policy at the time of detection, even if one is present at the time of sending the notification.
- A user is not notified if the email template that was assigned at the time of detection, was deleted afterwards. Creating a replacement template does not reassign it to previous detections.
- A user is not notified if the email template is not active at the time of sending the notification. It does not matter what the state was at the time of detection.
All detections use the policy that applied at the time of detection. Therefore, changing the policy of a user, does not change the applicable email template. However, changing the previously applicable policy does update the email template for past detections.
Advanced policy tasks
When enabling "Show advanced tasks", you get the option of setting a task for handling retracted definitions for both Vulnerabilities and Malware.
The "definition retracted" state is triggered when our definitions have changed. This means that we have decided that a detection should no longer be considered as vulnerability or malware.
This option has been placed under the advanced tasks section, because under normal circumstances this state should not be triggered. Our team takes much care reviewing every vulnerability and malware before releasing the definitions, to prevent cases where unnecessary detections are made.
Notified user level settings
A policy allows you to set the 'notified user level'. This is used to determine which user receives the notification. While you may choose to always send the notification to the affected user, you may also want to send the reseller of this user, or even the administrator in the panel of choice.
The following table lists four different types of users: the administrator user, the reseller user, users created by resellers (not the admin) and (non-reseller) users created by the administrator (i.e. where the adminstrator acted as reseller).
|Notified user level||Detection in admin||Detection in reseller||Detection in user of reseller||Detection in user of admin|
|descendant of admin||admin||reseller||reseller||user|
While determining the notified user, the user tree is traversed bottom-up, i.e. if the user is lower than the required level, the parent of this user is inspected. This repeats until at least the requested level is found. If no appropriate parent is found, the highest parent is used instead.
For instance, if you have selected 'admin' as the notified user level, but you only have reseller users, resellers will receive notifications instead.
If you wish to use other combinations, you should choose different default policies for users and resellers in the server group settings.
The applicable notified user level is taken from the policy that applied at the time of detection. Changing policies does not change the applicable notified user level, while changing the settings in the original policy does update the setting for existing detections.