Hi @vedburtruba,
Network_Traffic.All_Traffic datamodel is not assigning allowed, blocked or teardown value, these values are coming from action field in original data. Could you please let us know which type of data are you searching so that we can assist you that what is the meaning of all 3 values.
For example If I consider Checkpoint logs (Add-on Splunk_TA_checkpoint-opseclea) then it is giving 3 different result for action field allowed, blocked and dropped.
In general allowed means traffic is allowed for example from firewall, blocked means traffic is blocked and while looking at the one of the document teardown meaning when firewall didn't get ACK-SYN package from destination at that time it logs teardown.
I hope this helps.
Thanks,
Harshil
... View more