https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-vulnerability-false-postives/m-p/998430#M1038 <P>We seem to get alot of false positives triggered in PRISMA , using the default Security profiles .&nbsp;</P> <P>Example, "Brute force attacks"&nbsp; from Microsoft outlook clients accessing exchange online , im not even sure who the victim is, and who the threat actor is in that situation .&nbsp; &nbsp;Seems like Microsoft attacking itself , so not sure why PRISMA is blocking it ,&nbsp; if we werent using PRISMA, Microsoft seems fine with the traffic .</P> <P>Another public site , has a bunch of pictures but PRISMA is flagging them as&nbsp;&nbsp;'HTTP Directory Traversal Request Attempt'&nbsp; , and blocks them ,&nbsp; Again not sure if its blocking them on basis that we are attacking that site , or blocking them as they think those pictures are a threat to us .&nbsp; Whats weird is those same pictures are available else where on that site , where they dont trigger ! .&nbsp; &nbsp;</P> <P>I dont want to submit the site/pictures to have them bypassed , its someone elses content .&nbsp; What i would like is an easy way to exempt false positives directly in the console for sites / content we know are not risks .&nbsp; Hopefully without having to create a new rule for each site.</P> Mon, 16 Dec 2024 02:59:08 GMT M.Bathgate 2024-12-16T02:59:08Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-vulnerability-false-postives/m-p/998430#M1038 <P>We seem to get alot of false positives triggered in PRISMA , using the default Security profiles .&nbsp;</P> <P>Example, "Brute force attacks"&nbsp; from Microsoft outlook clients accessing exchange online , im not even sure who the victim is, and who the threat actor is in that situation .&nbsp; &nbsp;Seems like Microsoft attacking itself , so not sure why PRISMA is blocking it ,&nbsp; if we werent using PRISMA, Microsoft seems fine with the traffic .</P> <P>Another public site , has a bunch of pictures but PRISMA is flagging them as&nbsp;&nbsp;'HTTP Directory Traversal Request Attempt'&nbsp; , and blocks them ,&nbsp; Again not sure if its blocking them on basis that we are attacking that site , or blocking them as they think those pictures are a threat to us .&nbsp; Whats weird is those same pictures are available else where on that site , where they dont trigger ! .&nbsp; &nbsp;</P> <P>I dont want to submit the site/pictures to have them bypassed , its someone elses content .&nbsp; What i would like is an easy way to exempt false positives directly in the console for sites / content we know are not risks .&nbsp; Hopefully without having to create a new rule for each site.</P> Mon, 16 Dec 2024 02:59:08 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-vulnerability-false-postives/m-p/998430#M1038 M.Bathgate 2024-12-16T02:59:08Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-vulnerability-false-postives/m-p/1219846#M1085 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222803057">@M.Bathgate</a>&nbsp;wrote:<BR /> <P>We seem to get alot of false positives triggered in PRISMA , using the default Security profiles .&nbsp;</P> <P>Example, "Brute force attacks"&nbsp; from Microsoft outlook clients accessing exchange online , im not even sure who the victim is, and who the threat actor is in that situation .&nbsp; &nbsp;Seems like Microsoft attacking itself , so not sure why PRISMA is blocking it ,&nbsp; if we werent using PRISMA, Microsoft seems fine with the traffic .</P> <P>Another public site , has a bunch of pictures but PRISMA is flagging them as&nbsp;&nbsp;'HTTP Directory Traversal Request Attempt'&nbsp; , and blocks them ,&nbsp; Again not sure if its blocking them on basis that we are attacking that site , or blocking them as they think those pictures are a threat to us .&nbsp; Whats weird is those same pictures are available else where on that site , where they dont trigger ! .&nbsp; &nbsp;</P> <P>I dont want to submit the site/pictures to have them bypassed , its someone elses content .&nbsp; What i would like is an easy way to exempt false positives directly in the console for sites / content we know are not risks .&nbsp; Hopefully without having to create a new rule for each site.</P> <HR /></BLOCKQUOTE> <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222803057">@M.Bathgate</a>&nbsp;, if you have an account team Paloalto representative, I would recommend to share this feedback with them so they can be review the situation with you and also provide feedback to the relevant product team if any changes is required.&nbsp;</P> Sun, 09 Feb 2025 02:22:32 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-vulnerability-false-postives/m-p/1219846#M1085 Vickynet 2025-02-09T02:22:32Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-vulnerability-false-postives/m-p/1219961#M1087 <P>Thanks , yes previously mentioned to our PA representative, and cases raised etc .&nbsp;&nbsp;</P> <P>Response was that we cant exclude from individual sites , but we can exclude from all . Issue is that its only false for the sites you know its false for , applying to all would weaken the security posture .&nbsp; Was expecting to be able to just a tickbox against a entry to say allow for the site / threat combination (which other vendors have) , but alas that doesnt seem an option .&nbsp; &nbsp;</P> <P>The alerting is basically weaking our security , as given there are 1000's of alerts they are now just auto filed , thus if there was a "real" alert its likly to be missed</P> Tue, 11 Feb 2025 01:13:59 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-vulnerability-false-postives/m-p/1219961#M1087 M.Bathgate 2025-02-11T01:13:59Z