We have several devices that perform endpoint and network device scanning. As intended, they are scanning prohibited ports to verify they are not open, however the ESCU correlation searches , specifically the "Prohibited network Traffic Allowed" rule, is detecting thousands of these events each day.
How can I prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?
Thank you.
This is why you should put devices into the Assets framework and label their category "known_scanner" then you can do like NOT src_category="known_scanner" into your search. So as you update assets new scanners don't trigger correlation searches.
Modify the correlation search to exclude the legitimate devices.
Correlation rules from sources such as ESCU will have a filter macro. For example, the rule "ESCU - Access LSASS Memory for Dump Creation - Rule" has a macro named "access_lsass_memory_for_dump_creation_filter". You should modify the macro rather than the rule itself.
Sometimes rules are updated in the ESCU. If one modifies the rule directly, the search will be saved in the 'local' folder and have precedence over an updated rule in the default folder.