4 Replies Latest reply on Jan 17, 2011 8:40 AM by SafebootMEE

    Automated Responses

      I am creating an Automatic Response based on Malware detected and not handled. Using the filter "and Threat Handled" = False is good but this will not report on on "Threat Action Taken" = none.

       

      Can I set this in the same filter?

       

      "and Threat Handled" = False

       

      "and Threat Action Taken" =  None

       

      I assume that it will not send a response unless both conditions are met. I see that some Threat events where malware detected can have the condition of "Threat Handled" = True but "Threat Action Taken" = None.

       

      I do not want to make two separate responses. Is there a better way to create this filter?

        • 1. Re: Automated Responses
          Attila Polinger

          Hi,

           

          not really sure what aim you have with this response. I presume you want to get alerted where an AV event happens which is not handled by OAS or ODS. In that respect you can use the two criteria in parallel, but I suggest you employ other filters such as Threat Category or Threat Type to filter out unwanted other records where these two criteria are also met.

           

          Attila

          • 2. Re: Automated Responses

            The problem is that I am receiving Threat Events that have these situations....

             

            1.) Where "Action Taken" = None and "Threat Handled" = True

            2.) Where "Action Taken" = None and "Threat Handled" = False

             

            I need just one automatic Response that handles both of these Threat Events.

             

            I do not want to create two automatic responses. I need to report when there is nothing done to a threat in these situations.

             

            Anything I can do?

            • 3. Re: Automated Responses
              Attila Polinger

              Can you run a query for both of these scenarios as filters, and adding the Event Description (or others as suit you) fields, to see what values they carry?

               

              Based on values of Event Description that you want or do no want you can specify A.R. filter conditions such as

               

              where Action Taken Equals None

              AND

              where Threat Handled equals True

                        OR Threat Handled equals False

              AND xxxxx equals/does not equal YYY

               

              where xxxx is Event Description and YYY is that you want to include or exclude*.

               

              (*Lots of events with Event Description=Scan timed Out exist at our organization where Threat Handled=False and Action Taken=None. And lots of with Event Description=The update failed see event log, where Threat Handled=true and Action Taken=None. So there are lots of "irrelevant" events needed to be excluded)

               

              Was it that you had in mind?

               

              Attila

              • 4. Re: Automated Responses

                Yes, this will probably work for me. I will do a test and let you know if this works out.

                 

                Thanks!