I think you are saying you currently have an any/any allow rule that you want to transition to having specific rule base.
In these cases you first need to make sure logging is enabled for your current rule.
You review the logs to see some specific rules you can add.
You add these rules and move them before the any/any rule.
You return and repeat the log review on the any/any rule.
Add more rules before this rule.
And continue to repeat the process until nothing logs any more on the any/any rule.
You will need to do this over a long enough period to catch periodic traffic.
Finally you change the action on the any/any rule to deny instead of allow
Change the log to session init instead of close.
Now when you see logs here it will be blocked traffic and you can proactively allow if you feel it is legitimate.
Or just wait for requests to open more traffic.