So I've been struggling with a task for some time now and I think it would be doable since I only lack one filtering detail to get it properly up and running.
What I'd like to achive is that when a system gets a malware event I want that system to do a full system scan right away and then send me a report of that scanned system. There are probably easier ways to do this but heres what I've done:
Created an automatic response for malware events to apply a tag.
The tag is assosiated with a client task, a full system scan right away.
I've created a another automatic response for full system scan events that are finnished. This response runs a query on malware events on the client and removes the tag. It also sends a report (based on the query) in an email.
This all works fine, except in the second automatic response where I can only filter on the eventid for a full system scan that have taken place. Is there any way to filter on that this is an on demand system scan? Currently we would recieve alot of reports due to that clients run full systems scan on a scheduled basis.
As I said, it propably easier to solve it in someother way so if you have any input, please let me know!