[SIEM][Detections] Detection Network/Firewall Rules should ignore events with an outcome of denied/deny #71374
Labels
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
Comments
|
Pinging @elastic/siem (Team:SIEM) |
|
Hey there @BenB196, thanks for the feedback! We actually just launched the detection-rules repo last week for tracking and managing all things rule related, so I've ported this issue over there as elastic/detection-rules#50, and will close this one. Thanks for reporting this rule tuning, and stay tuned to that issue for updates! 🙂 |
MindyRS
added
the
Team: SecuritySolution
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature:
The SIEM detection rules for network events for "event.action : firewall-rules" should not create signals for "event.outcome : (deny or denied)" values.
Describe a specific use case for the feature:
These are all false positive results as the firewall is doing its job and preventing these connections. In high traffic firewalls, 10s or 100s of thousands of signals can be generated within 24 hours, that are all false positives.
The text was updated successfully, but these errors were encountered: