The Network Discovery Policy generally governs this behavior. By default it attempts to discover all applications as that is an integral part of how the Firepower system works. Without that, we cannot use application as an element in any ACP rule nor is the VDB or many of the Snort rules effective.
Disabling it outright is not possible; but I suppose you could tell it to discover based on an address not on your network vs. the "discover all" policy that is the default. Again, this is NOT a recommended practice.