Tune “Unconventional Protocol Communication” detections by port or protocol.
It would be great to be able to tune “Unconventional Protocol Communication” detections in a more granular way. Currently the tuning seems to be “this attacker, this victim ignore all unconventional protocols.”
It would be great to able to say, for example “SMTP/SSH between these two servers is OK from now on.”
Or even better would be some global rulesets that say “this specific port type to this victim server is always OK”
I’m not sure if the current product design is based on learning this automatically and stopping firing these detections?