Efficiancy is always a matter of opinion... I personally would use both. I would store the information in an array that I can iterate through while always storing it to a file for future use and logging.
If you are having a hard time with dumping the info to a file then I would just iterate through an array. You can always go back and modify your code once you figure it out.
If I manually populate the list i.e. list = [1,2,3,4,5] I can iterate through it and write it out to a file no problem. My challenge is getting the results of core.executeQuery into a list or array.
The best way I have managed it in Powershell is with XML. By outputting in xml I can then iterate through the tree and pull out the info that I need...even put it into an array. Otherwise it would be a string which can be more complicated to manipulate. So consider what you are having it output as String, XML, JSON...and maybe tackle it from a different perspective.
Are you not able to apply a tag utilizing a server task?
Either way when you utilize the McAfee python API files the results that are returned to you are in a list. Each element within the list is a DICT of the data you requested. Here is a simple example to hopefully help you:
mc = mcafee.client(address, port, username, password)
target = 'EPOEvents'
select = '(select EPOEvents.DetectedUTC EPOEvents.ThreatName EPOEvents.AnalyzerName EPOEvents.SourceProcessName EPOEvents.TargetFileName EPOEvents.ThreatActionTaken)'
where = '( where ( and ( eq EPOEvents.AgentGUID "%s" ) ( newerThan EPOEvents.DetectedUTC 86400000 ) ) )' % (searchGUID)
order = '(order(asc EPOEvents.DetectedUTC))'
data = mc.core.executeQuery(target=target, select=select, where=where, order=order)
for event in data:
print string.ljust('Event Generated Time (UTC)', 40), string.ljust(event['EPOEvents.DetectedUTC'], 80)
print string.ljust('Detecting Product', 40), string.ljust(event['EPOEvents.AnalyzerName'], 80)
print string.ljust('Threat Name', 40), string.ljust(event['EPOEvents.ThreatName'], 80)
print string.ljust('Process Name', 40), string.ljust(event['EPOEvents.SourceProcessName'], 80)
print string.ljust('File Name', 40), string.ljust(event['EPOEvents.TargetFileName'], 80)
print string.ljust('Action Taken', 40), string.ljust(event['EPOEvents.ThreatActionTaken'], 80)
Now this code basically queries HBSS for events based on a Host Asset GUID and then loops the array and extracts the data.