06-22-2023 08:52 AM
Build the application rule above the rule that you currently have utilizing services. Once you verify that the application rule has been tuned to match traffic properly (without decryption you'll need to make adjustments for WinRM over HTTPS as an example) the service rule should stop getting hit.
When it comes to cleaning up the service rules that all depends on your environment and appetite of risk. I've had some people just delete the service rule when the application rule is matching traffic, I'll have some people setup alerting whenever the service rule is hit but leave it there for a month just as backup, I'll have have some people set the service rule to deny the traffic with the rule set to alert on any traffic and leave it around for a month; it all depends on your environment and what you decide to do.
