So I'm going through the Monitor filters and I'm trying to get rid of some of the noise. I don't understand why some of the rules are matching. For example, we have a webserver, and whenever the firewall permits traffic to it, for some reason LEM logs it under the PortScan rule for the "Unusual Network Traffic" filter. This filter is composed of the vague "Network Suspicious Alerts" group (and I say vague because even when I go under Build > Groups and follow the selection tree down, I still don't know what the criteria is other than "TCPportscan" for example.)
So to start this off, my question is: why is this being pegged as a PortScan when the Destination port is always port 80 for this host?