I have recently setup MARS and I am working on getting some of the tuning done so I don't get as many incidents created. Some of the typical stuff I want to tune out is general Windows network stuff, like SMB Remote SAM service access, since this traffic is normal on an internal windows network. The problem I am running into is not being able to define the networks to tune.
For example, I query for all the incidents matching the referenced event, and once the query is returned, I click on the False Positive Tuning link on the right. After that, a window pops up and I can select the event using a check box and then I can select the source and destination. The problem I have is that is seems I can only do a one to many approach. Instead of being able to say anything 192.168.1.0/24 to 192.168.1.0/24, log to DB only, it seems I can only do a single host to a subnet, or vice versa. Is this the way its supposed to work? if so, how would I go about tuning out an entire subnet from certain events?