https://community.splunk.com/t5/Splunk-Search/vendor-action-Field/m-p/543626#M153988 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232321">@splunkymcsnypr</a>,</P><P>Common Information Model has an action field that expects "allowed", "blocked" or "teardown" values. Device that sends these events with action&nbsp;field may have other convention like "accept", "deny", "close", etc.&nbsp;</P><P><STRONG>vendor_action</STRONG> field keeps original event action values that one may need to know original action value.</P> Sat, 13 Mar 2021 09:54:12 GMT scelikok 2021-03-13T09:54:12Z https://community.splunk.com/t5/Splunk-Search/vendor-action-Field/m-p/543182#M153872 <P>Hi!<BR />I'm trying to find more information about the vendor_action field, however I've not managed to do so with much success. If anyone has any insight in terms of cyber value and mapping to use cases that would be really helpful. Does there exist a taxonomy for this field?</P> Wed, 10 Mar 2021 11:00:33 GMT https://community.splunk.com/t5/Splunk-Search/vendor-action-Field/m-p/543182#M153872 splunkymcsnypr 2021-03-10T11:00:33Z https://community.splunk.com/t5/Splunk-Search/vendor-action-Field/m-p/543626#M153988 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232321">@splunkymcsnypr</a>,</P><P>Common Information Model has an action field that expects "allowed", "blocked" or "teardown" values. Device that sends these events with action&nbsp;field may have other convention like "accept", "deny", "close", etc.&nbsp;</P><P><STRONG>vendor_action</STRONG> field keeps original event action values that one may need to know original action value.</P> Sat, 13 Mar 2021 09:54:12 GMT https://community.splunk.com/t5/Splunk-Search/vendor-action-Field/m-p/543626#M153988 scelikok 2021-03-13T09:54:12Z