So, I did some digging. No connector will throw a PingSweep event by itself. Some of them will create ICMPPingSweep events, or TCPPingSweep events, but no "just" PingSweep events.
That means all of them are inferred from other rules, like:
- ICMPTrafficAudit Echo Request Infer Ping Sweep alert
- ICMPTrafficAudit Echo Reply Infer Ping Sweep alert
If you want to stop the PingSweeps from some hosts, my advice would be:
- Create a user defined group with the hosts that you want to ignore in it, it'll make things easier
- Add that exemption to rules that infer PingSweeps, like the two I mentioned
That'll stop the alerts from getting inferred in the first place, something like this:
