SEM - Port Scan Rule - IPSEC Tunnel

Jbeeh

I have a port scan rule configured in SEM of:

TCPTrafficAudit occurred

and whole rule
occurs at least 10x in 30 seconds in 5 min window same SourceMachine (TCPTrafficAudit) Distinct DestinationPort (TCPTrafficAudit)

I am receiving a lot of alerts from this rule firing.
From what I can tell initially for the number of reports is that they are all reporting from 3 specific machines, all of which have our ipsec-tunnels configured on them.
The VPN Type is coming up as IPSEC_Tunnel

Is there anything that I can do to help reduce the number of alerts and filter out the number of false positives that we are getting?

neomatrix1217

I would look into using user-defined groups to reduce the alerting noise.

Configure user-defined groups in SEM (solarwinds.com)