[Filebeat][Cisco ASA] event.outcome Mappings (7.10)

[dainperkins]

Based on the test docs in the current 7.10 implementation there's an issue with event.outcome mappings. Firepower may exhibit the same issues.

Per ECS event.outcome, when referencing an action performed by the reporting device (e.g. a firewall denying a connection), should reflect the outcome of the observers action (e.g. a firewall successfully blocking a connection would have an event.outcome of success.

Message IDs: 106023, 106103

106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]`

106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]"

Output for each is:
`"event.outcome" : "failure"`

should be:
`"event.outcome" : "success"`

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.