not really sure what aim you have with this response. I presume you want to get alerted where an AV event happens which is not handled by OAS or ODS. In that respect you can use the two criteria in parallel, but I suggest you employ other filters such as Threat Category or Threat Type to filter out unwanted other records where these two criteria are also met.
The problem is that I am receiving Threat Events that have these situations....
1.) Where "Action Taken" = None and "Threat Handled" = True
2.) Where "Action Taken" = None and "Threat Handled" = False
I need just one automatic Response that handles both of these Threat Events.
I do not want to create two automatic responses. I need to report when there is nothing done to a threat in these situations.
Anything I can do?
Can you run a query for both of these scenarios as filters, and adding the Event Description (or others as suit you) fields, to see what values they carry?
Based on values of Event Description that you want or do no want you can specify A.R. filter conditions such as
where Action Taken Equals None
where Threat Handled equals True
OR Threat Handled equals False
AND xxxxx equals/does not equal YYY
where xxxx is Event Description and YYY is that you want to include or exclude*.
(*Lots of events with Event Description=Scan timed Out exist at our organization where Threat Handled=False and Action Taken=None. And lots of with Event Description=The update failed see event log, where Threat Handled=true and Action Taken=None. So there are lots of "irrelevant" events needed to be excluded)
Was it that you had in mind?
Yes, this will probably work for me. I will do a test and let you know if this works out.