I would like to hide detections based on ports used for communication between endpoints. Our Windows clients participate in Windows PE peer caching for patching and all these clients periodically scan the network for other clients using port 8003 to share patching rather than going direct to the SCCM server. This is causing TCP Syn Scan Detections to occur. They would not like to hide TCP Syn Scan detections for all these devices, but only when a device is scanning for port 8003.
Hi, this probably would be a better fit for detection feedback forum, but thanks a lot for bubbling this to us and we are looking into tuning out false positives deployments with Windows PE peer caching.