topic Custom Threat is being identified, but not taking the correct action. in Custom Signatures https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-is-being-identified-but-not-taking-the-correct/m-p/288813#M321 <P>We have a custom vulnerability for Datanyze Scraping that is being idenfied but only alerting.&nbsp; This signature looks for http-req-headers and dns-req-headers for the value of Datanyze.&nbsp; This is working great, I can see the traffic in the threat log so I know it is being properly identified.</P><P>&nbsp;</P><P>The configuration of the signature has it set as Severity: Medium, Default Action: Reset Both, Direction: Both and Affected System:&nbsp; Client-and-server.</P><P>&nbsp;</P><P>I checked the policies where the traffic is coming in on and it has the correct vulnerability profile.&nbsp; Note that on the profile we have criticals - mediums set to do a reset-both.&nbsp; We also are not using app-id on this policy but traditional 80/443 service ports.</P><P>&nbsp;</P><P>Any idea why this would be happening?&nbsp; My next step is a support ticket but would like to figure this one out on my own.</P> Tue, 17 Sep 2019 15:55:46 GMT tom.mccomb 2019-09-17T15:55:46Z Custom Threat is being identified, but not taking the correct action. https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-is-being-identified-but-not-taking-the-correct/m-p/288813#M321 <P>We have a custom vulnerability for Datanyze Scraping that is being idenfied but only alerting.&nbsp; This signature looks for http-req-headers and dns-req-headers for the value of Datanyze.&nbsp; This is working great, I can see the traffic in the threat log so I know it is being properly identified.</P><P>&nbsp;</P><P>The configuration of the signature has it set as Severity: Medium, Default Action: Reset Both, Direction: Both and Affected System:&nbsp; Client-and-server.</P><P>&nbsp;</P><P>I checked the policies where the traffic is coming in on and it has the correct vulnerability profile.&nbsp; Note that on the profile we have criticals - mediums set to do a reset-both.&nbsp; We also are not using app-id on this policy but traditional 80/443 service ports.</P><P>&nbsp;</P><P>Any idea why this would be happening?&nbsp; My next step is a support ticket but would like to figure this one out on my own.</P> Tue, 17 Sep 2019 15:55:46 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-is-being-identified-but-not-taking-the-correct/m-p/288813#M321 tom.mccomb 2019-09-17T15:55:46Z