I am creating an Automatic Response based on Malware detected and not handled. Using the filter "and Threat Handled" = False is good but this will not report on on "Threat Action Taken" = none.
Can I set this in the same filter?
"and Threat Handled" = False
"and Threat Action Taken" = None
I assume that it will not send a response unless both conditions are met. I see that some Threat events where malware detected can have the condition of "Threat Handled" = True but "Threat Action Taken" = None.
I do not want to make two separate responses. Is there a better way to create this filter?
not really sure what aim you have with this response. I presume you want to get alerted where an AV event happens which is not handled by OAS or ODS. In that respect you can use the two criteria in parallel, but I suggest you employ other filters such as Threat Category or Threat Type to filter out unwanted other records where these two criteria are also met.
The problem is that I am receiving Threat Events that have these situations....
1.) Where "Action Taken" = None and "Threat Handled" = True
2.) Where "Action Taken" = None and "Threat Handled" = False
I need just one automatic Response that handles both of these Threat Events.
I do not want to create two automatic responses. I need to report when there is nothing done to a threat in these situations.
Anything I can do?
Can you run a query for both of these scenarios as filters, and adding the Event Description (or others as suit you) fields, to see what values they carry?
Based on values of Event Description that you want or do no want you can specify A.R. filter conditions such as
where Action Taken Equals None
where Threat Handled equals True
OR Threat Handled equals False
AND xxxxx equals/does not equal YYY
where xxxx is Event Description and YYY is that you want to include or exclude*.
(*Lots of events with Event Description=Scan timed Out exist at our organization where Threat Handled=False and Action Taken=None. And lots of with Event Description=The update failed see event log, where Threat Handled=true and Action Taken=None. So there are lots of "irrelevant" events needed to be excluded)
Was it that you had in mind?