I fixed it by creating a new lookup table, populated it with the values found in the Status field with the correct mapping to the action field. Then point to the new lookup file by overriding it in the local props.conf.
My new lookup file is as follows:
Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred
I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.
Either way, I hope this helps anyone not able to correlate events using the action field from Cylance Threat logs.
-w
... View more