Hi!
I'm trying to find more information about the vendor_action field, however I've not managed to do so with much success. If anyone has any insight in terms of cyber value and mapping to use cases that would be really helpful. Does there exist a taxonomy for this field?
Hi @splunkymcsnypr,
Common Information Model has an action field that expects "allowed", "blocked" or "teardown" values. Device that sends these events with action field may have other convention like "accept", "deny", "close", etc.
vendor_action field keeps original event action values that one may need to know original action value.