I think that this question is probably best approached via a support ticket. We would need to know the sig-ids that are being triggered, nature of the events and look at the specifics of the rule you have written.
Can you open up a new case on that and when it is resolved a summary of the findings could be posted to the Community Portal.
Looking at your correlation rule you are using the GTI watchlist feeds. I checked on one of the IP addresses which is in fact listed in the Watchlist.
Possibly you can tweak your rule to use just the Malicious GTI feed rather than both the Suspicious and Malicious?
You can also try removing that particular rule as well to see if it removes alot of the erroneous triggers.
Just a few things i noticed at first pass.
First, similar to what David Osborne said, you need to do something about your GTI. I suggest, for this correlation take it out. You will get way too many alerts from that single correlation alone. Use the GTI in it's own correlation rule (green rules are correlations).
Secondly, an easier way to get your expected output is to copy the default correlations you are using in your "OR" boolean and add your filter for the destination IP and Source IP, then just rename your correlation to state it's for your crit servers.
Hope that helps