here is the props.conf statement I used to cobble together a decent "action" field:
| eval action=replace((replace((replace((case(
'ProductFamily'=="UDLP" OR
match(lower('event_description'),"on-") OR
match(lower('event_description'),"dll") OR
match(lower('event_description'),"oss") OR
match(lower('event_description'),"svm") OR
match(lower('event_description'),"^scan") OR
match(lower('event_description'),"policy") OR
match(lower('event_description'),"service") OR
match(lower('event_description'),"deferred") OR
match(lower('event_description'),"update") OR
match(lower('event_description'),"mcafee security") OR
match(lower('event_description'),"protection \w+abled") OR
(match(lower('event_description'),"move") AND 'threat_handled'=="0"),lower('event_description'),
match(lower('event_description'),"pending") OR
match(lower('event_description'),"unable to") OR
match(lower('event_description'),"not blocked") OR
match(lower('event_description'),"would delete") OR
match(lower('event_description'),"delete on reboot") OR
(match(lower('event_description'),"handled") AND 'threat_handled'=="0") OR
(match(lower('event_description'),"spam") AND match(lower('vendor_action'),"clean")) OR
(match(lower('event_description'),"failed") AND NOT match(lower('event_description'),"deleted")) OR
(match(lower('event_description'),"browser") AND NOT match(lower('ThreatName'),"web control violation")),"allowed",
match(lower('event_description'),"spam") OR
match(lower('event_description'),"denied") OR
match(lower('event_description'),"blocked") OR
match(lower('event_description'),"handled") OR
match(lower('event_description'),"deleted") OR
match(lower('event_description'),"cleaned") OR
match(lower('event_description'),"browser") OR
match(lower('event_description'),"quarantine") OR
(match(lower('event_description'),"detected") AND 'threat_handled'=="1"),"blocked",
isnotnull('event_description'),lower('event_description'),
isnull('event_description'),"none")),",","")),"\.","")),";","")
... View more