[SIEM][Detections] Detection Network/Firewall Rules should ignore events with an outcome of denied/deny #71374
Labels
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
Describe the feature:
The SIEM detection rules for network events for "event.action : firewall-rules" should not create signals for "event.outcome : (deny or denied)" values.
Describe a specific use case for the feature:
These are all false positive results as the firewall is doing its job and preventing these connections. In high traffic firewalls, 10s or 100s of thousands of signals can be generated within 24 hours, that are all false positives.
The text was updated successfully, but these errors were encountered: