To build on my last IR article:
How to utilize SEP 12.1 for Incident Response - PART 6
I'm attaching a custom IPS policy which will detect the download of various filetypes via HTTP and HTTPS.
The signatures are in Allow mode and set to write to the Packet log for detailed information.
As of now, this policy will detect 37 different filetypes. I will update it as I add more.
Feel free to use and let me know if you have any questions or feedback.