From a9f3f8afbb32500fb443dea5fa8f330fa1978049 Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Wed, 4 Mar 2026 14:05:50 -0500
Subject: [PATCH] Do not fire on denied events (#5805)

---
 ...ial_access_rpc_remote_procedure_call_from_the_internet.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
index 105c10f27..492129f62 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/02"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ type = "query"
 query = '''
 (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
   network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
+  not (event.type: denied or event.action: flow_dropped or event.outcome: failure) and
   not source.ip:(
     10.0.0.0/8 or
     127.0.0.0/8 or