We had the Port Scans alert in SEM setup with the OotB rules ( i know dont beat me up) and we did not really get any false alerts until recently and now it is hitting this alert fairly frequently. i am wondering if you have a best practice on what is a good way to monitor and alert to unwanted port scans on the network.
we have all of the firewall logs coming to SEM. as well as all server activity.
currenty the alert states TCPTrafficAudit event triggers 10 events wiling 30 seconds with a response window of 5 minutes. i am sure that this can be and should be better. any assistance would be grand.
