Each day, I observe several offenses where remote systems are scanning specific ports on IPs of our external subnet. We block these attempts, and I'd like to tune these offenses as false positives.
For example, I see several offenses where a remote source IP address is scanning for port 5060 (SIP) on all IPs in our external subnet. This is likely a "SIPVicious Security Scanner". The source IP is different each time, but the destination /24 subnet and the port 5060 are the same for each offense.
How can I mark these events as false positives to prevent another offense of the same behavior (a different remote source IP but the same destination IPs and port) from being generated?