cancel
Showing results for 
Search instead for 
Did you mean: 

Automated Responses

I am creating an Automatic Response based on Malware detected and not handled. Using the filter "and Threat Handled" = False is good but this will not report on on "Threat Action Taken" = none.

Can I set this in the same filter?

"and Threat Handled" = False

"and Threat Action Taken" =  None

I assume that it will not send a response unless both conditions are met. I see that some Threat events where malware detected can have the condition of "Threat Handled" = True but "Threat Action Taken" = None.

I do not want to make two separate responses. Is there a better way to create this filter?

4 Replies
apoling
Level 14
Report Inappropriate Content
Message 2 of 5

Re: Automated Responses

Hi,

not really sure what aim you have with this response. I presume you want to get alerted where an AV event happens which is not handled by OAS or ODS. In that respect you can use the two criteria in parallel, but I suggest you employ other filters such as Threat Category or Threat Type to filter out unwanted other records where these two criteria are also met.

Attila

Re: Automated Responses

The problem is that I am receiving Threat Events that have these situations....

1.) Where "Action Taken" = None and "Threat Handled" = True

2.) Where "Action Taken" = None and "Threat Handled" = False

I need just one automatic Response that handles both of these Threat Events.

I do not want to create two automatic responses. I need to report when there is nothing done to a threat in these situations.

Anything I can do?

apoling
Level 14
Report Inappropriate Content
Message 4 of 5

Re: Automated Responses

Can you run a query for both of these scenarios as filters, and adding the Event Description (or others as suit you) fields, to see what values they carry?

Based on values of Event Description that you want or do no want you can specify A.R. filter conditions such as

where Action Taken Equals None

AND

where Threat Handled equals True

          OR Threat Handled equals False

AND xxxxx equals/does not equal YYY

where xxxx is Event Description and YYY is that you want to include or exclude*.

(*Lots of events with Event Description=Scan timed Out exist at our organization where Threat Handled=False and Action Taken=None. And lots of with Event Description=The update failed see event log, where Threat Handled=true and Action Taken=None. So there are lots of "irrelevant" events needed to be excluded)

Was it that you had in mind?

Attila

Re: Automated Responses

Yes, this will probably work for me. I will do a test and let you know if this works out.

Thanks!