Is anyone else having issues tuning on 500 series signatures, mainly threat names 523, 522, 521? Even just using the threat name, and threat source process name in the exception, events will still continue to generate, and block legitimate activity.
Troubleshooting I have done:
Checked policies assigned on group. System is inheriting correct IPS Rules and IPS Protection policies.
Added unwildcarded Threat Source Process Name to exception for 523. No advanced parameters included.
Disabled signature in the policy. This seemed to work, unfortunately we can't leave it disabled forever.