Hi, we recently started utilizing the ESET Inspect module for a number of clients and I've been tasked with learning/managing most of our Security, despite me being a bit in over my head. Currently we are getting a large amount of detections in the EI dashboard for Protocol Mismatch - detected RDP communication over non-standard port [E0517]. I've confirmed they're coming from the internal IP address of our vulnerability scanner and even double checked it against our vulnerability scanner vendor to confirm if these were from their tool, which it is. So my next job is seeing how to reduce these detections as they are known authorized events.
I've made exclusions in the Security Product's IDS in the policy which appears to be functioning, but this doesn't seem to spill over to the Inspect module. Whenever I try and make the exclusion however, there doesn't seem to be enough identifying data from the event to create an exclusion (no parent process, no hash, no unique process or service), and I want to be careful not to make the exclusion too wide that actual port scanning that's malicious can get through because of this rule. Any help for this green security analyst would be greatly appreciated. Thanks.