topic Potential False Positive IoC in GlobalProtect Discussions

Potential False Positive IoC

A.Tsadzikidze — Fri, 20 Mar 2026 06:56:07 GMT

Hello everyone! I'm Arsen, Junior SOC Analyst and I've got some questions regarding the detection Evasive HTTP C2 Traffic Detection(89950). Recently, I have received several alerts, where the Destination IP was 91.108.56.132, which is related to AS 62014 (T. Messenger Inc). The user claimed that he used a T. Desktop Application and it seems to be a normal practice in our company, so I don't understand why Palo Alto triggers on this IP.

Re: Potential False Positive IoC

JayGolf — Thu, 26 Mar 2026 01:24:41 GMT

Hi @A.Tsadzikidze ,

Threat ID 89950 is an Anti-Spyware detection and appears to be based on behavioral analysis rather than just the destination IP itself. In other words, Palo Alto may be flagging the HTTP traffic pattern as C2-like, even if the destination belongs to Telegram.

Since you confirmed the user’s activity aligns with expected Telegram Desktop usage, it might be worh it to open a TAC case and including the threat logs and a packet capture so it can be reviewed properly.