Thanks for the reply, the intrusion alert we recieved was:
"The firewall has blacked a PORT SCAN from remote host 202.68.93.40 on ports 56439, 53659, 53941, 61660,53153, 56699,50673"
and when going into more information:
"Attack name: PORT SCAN
Attacker IP: 202.68.93.40 (ns1.dts.net.nz) (this is our dns server)
Event time: 2017-02-21 177:34:28
Attacker... 90-6C-AC-0B-11-E4"
could this be a false positive report