(imported topic written by npeters91)
I’m adding a custom analysis derived from the BES Symantec Antivirus - Virus Information analysis.
I’d like to add the action taken when threats are found on a system, to the analysis.
Here the output that I have right now…
DATE - Threat found - Action Taken
20070407 - EICAR Test String - Clean failed : Quarantine failed.
20070407 - EICAR Test String - Quarantine succeeded.
I’d like to have unique values of Date and Threat found but only list the last action taken.
In other words, can I only list the last action taken based on the 2 unique variables?
I’d like to only list: "20070407 - EICAR Test String - Quarantine succeeded. "
Here is the relevance:
unique values of ((first 8 of following text of last “" of it)& " - " & preceding text of first " in File:" of following text of first "Threat: " of preceding text of last "” of it & " - " & preceding text of first " Action Description:" of following text of first “Action: " of preceding text of last " " of it) of ((following texts whose (number of substrings " " of it is 1 AND preceding text of first " in File:” of following text of first "Threat: " of preceding text of last " " of it != "" AND preceding text of first " in File:" of following text of first "Threat: " of preceding text of last "" of it != " ") of substrings " " of preceding texts whose (number of substrings " " of it mod 2 is 0) of substrings " " of it) of (" " & (concatenation " " of (string values of selects "Message, TimeGenerated from Win32_NTLogEvent where SourceName='Symantec AntiVirus' and Type='error'" of wmi)) & " "))
Is there a way to list only the last record found?