For example:
action actual_action process user hostname Time
Event 1: allowed Left alone c:\a\b\d mike host_1 00:00:10
Event 2: blocked Deleted c:\a\b\d mike host_1 00:00:12
In this case, first antivirus detects the infects and then it gets cleaned/deleted/quarantined accordingly. Both the events should have the same process, username, and hostname.
I want to generate a report for those users/hosts which has event 1, but not the event 2.
Basically, to filter out those hosts/users for which anti-virus has not taken any action.
... View more