[Rule Tuning] Detection Network/Firewall Rules should ignore events with an outcome of denied/deny

[spong]

Description

As initially reported in elastic/kibana#71374 by @BenB196

Describe the feature:
The SIEM detection rules for network events for "event.action : firewall-rules" should not create signals for "event.outcome : (deny or denied)" values.

Describe a specific use case for the feature:
These are all false positive results as the firewall is doing its job and preventing these connections. In high traffic firewalls, 10s or 100s of thousands of signals can be generated within 24 hours, that are all false positives.

[BenB196]

Another word that should be ignored is "Deny" as that is another possibility.

Something that is somewhat interesting. Is that these values don't appear to match ECS, which say that event.outcome should only have 3 values:

Important: The field value must be one of the following:

failure, success, unknown

Unsure why the Filebeat module doesn't follow this standard.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[terrancedejesus]

Closing this issue based on the following conclusion.

• Date of issue and successful merges related
• No current rules exist using event.action and keyword firewall-rules
• No rules containing event.outcome where deny or failure or block exist. failure exists but is not related to Firewall deny/block connections as expected.