<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Possible false-positive spike: Threat ID 99951 Inline Cloud Analyzed CMD Injection Traffic Detection in Advanced Threat Prevention Discussions</title>
    <link>https://live.paloaltonetworks.com/t5/advanced-threat-prevention/possible-false-positive-spike-threat-id-99951-inline-cloud/m-p/1258857#M2510</link>
    <description>&lt;P&gt;Hi all,&lt;/P&gt;
&lt;P&gt;Is anyone else seeing a recent spike in the following Advanced Threat Prevention / Inline Cloud Analysis alert?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Threat ID: 99951&lt;BR /&gt;Threat Name: Inline Cloud Analyzed CMD Injection Traffic Detection&lt;BR /&gt;Threat Type: Vulnerability&lt;BR /&gt;Severity: High&lt;BR /&gt;Threat Category: inline-cloud-exploit&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We started seeing a sharp increase in this detection shortly after what appears to have been a Palo Alto cloud-side update/rollout. The increase happened within the same day and does not match our normal baseline.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The alerts are mostly associated with normal outbound user web traffic to common public SaaS, cloud, CDN, and marketing/tracking domains. We are not seeing an obvious endpoint-side indicator that would explain a real command-injection pattern across the affected hosts/users.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;TAC suggested increasing the Inline Cloud Analysis Max Latency setting from the default 200 ms to 1000 ms. We changed it to 800 ms as a test, but it has not reduced the volume.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;What we are trying to determine:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1. Is anyone else seeing a recent increase in Threat ID 99951?&lt;BR /&gt;2. Did anyone observe this starting after a recent cloud-side Advanced Threat Prevention / Inline Cloud Analysis update?&lt;BR /&gt;3. Has Palo confirmed any false-positive activity or detection-model issue for this threat ID?&lt;BR /&gt;4. Did changing Inline Cloud Analysis Max Latency help anyone, or did the alerts continue?&lt;BR /&gt;5. Has anyone received a better mitigation from TAC besides increasing latency?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We are not looking to disable Inline Cloud Analysis globally. At this point we are trying to confirm whether this is a localized issue, a broader cloud-model false-positive condition, or something specific to our configuration.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Any feedback from others seeing similar behavior would be appreciated.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Event details:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Threat ID: 99951&lt;BR /&gt;Threat Name: Inline Cloud Analyzed CMD Injection Traffic Detection&lt;BR /&gt;Severity: High&lt;BR /&gt;Type: Vulnerability&lt;BR /&gt;Category: inline-cloud-exploit&lt;BR /&gt;Direction: outbound client web traffic&lt;BR /&gt;Pattern: sudden spike across multiple users/hosts&lt;BR /&gt;Destinations: common public SaaS/cloud/CDN/marketing domains&lt;BR /&gt;Latency setting before: 200 ms&lt;BR /&gt;Latency setting tested: 800 ms&lt;BR /&gt;Result: no noticeable reduction in alert volume&lt;/P&gt;</description>
    <pubDate>Mon, 13 Jul 2026 22:05:49 GMT</pubDate>
    <dc:creator>J.Smith958349</dc:creator>
    <dc:date>2026-07-13T22:05:49Z</dc:date>
    <item>
      <title>Possible false-positive spike: Threat ID 99951 Inline Cloud Analyzed CMD Injection Traffic Detection</title>
      <link>https://live.paloaltonetworks.com/t5/advanced-threat-prevention/possible-false-positive-spike-threat-id-99951-inline-cloud/m-p/1258857#M2510</link>
      <description>&lt;P&gt;Hi all,&lt;/P&gt;
&lt;P&gt;Is anyone else seeing a recent spike in the following Advanced Threat Prevention / Inline Cloud Analysis alert?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Threat ID: 99951&lt;BR /&gt;Threat Name: Inline Cloud Analyzed CMD Injection Traffic Detection&lt;BR /&gt;Threat Type: Vulnerability&lt;BR /&gt;Severity: High&lt;BR /&gt;Threat Category: inline-cloud-exploit&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We started seeing a sharp increase in this detection shortly after what appears to have been a Palo Alto cloud-side update/rollout. The increase happened within the same day and does not match our normal baseline.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The alerts are mostly associated with normal outbound user web traffic to common public SaaS, cloud, CDN, and marketing/tracking domains. We are not seeing an obvious endpoint-side indicator that would explain a real command-injection pattern across the affected hosts/users.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;TAC suggested increasing the Inline Cloud Analysis Max Latency setting from the default 200 ms to 1000 ms. We changed it to 800 ms as a test, but it has not reduced the volume.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;What we are trying to determine:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1. Is anyone else seeing a recent increase in Threat ID 99951?&lt;BR /&gt;2. Did anyone observe this starting after a recent cloud-side Advanced Threat Prevention / Inline Cloud Analysis update?&lt;BR /&gt;3. Has Palo confirmed any false-positive activity or detection-model issue for this threat ID?&lt;BR /&gt;4. Did changing Inline Cloud Analysis Max Latency help anyone, or did the alerts continue?&lt;BR /&gt;5. Has anyone received a better mitigation from TAC besides increasing latency?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We are not looking to disable Inline Cloud Analysis globally. At this point we are trying to confirm whether this is a localized issue, a broader cloud-model false-positive condition, or something specific to our configuration.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Any feedback from others seeing similar behavior would be appreciated.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Event details:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Threat ID: 99951&lt;BR /&gt;Threat Name: Inline Cloud Analyzed CMD Injection Traffic Detection&lt;BR /&gt;Severity: High&lt;BR /&gt;Type: Vulnerability&lt;BR /&gt;Category: inline-cloud-exploit&lt;BR /&gt;Direction: outbound client web traffic&lt;BR /&gt;Pattern: sudden spike across multiple users/hosts&lt;BR /&gt;Destinations: common public SaaS/cloud/CDN/marketing domains&lt;BR /&gt;Latency setting before: 200 ms&lt;BR /&gt;Latency setting tested: 800 ms&lt;BR /&gt;Result: no noticeable reduction in alert volume&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jul 2026 22:05:49 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/advanced-threat-prevention/possible-false-positive-spike-threat-id-99951-inline-cloud/m-p/1258857#M2510</guid>
      <dc:creator>J.Smith958349</dc:creator>
      <dc:date>2026-07-13T22:05:49Z</dc:date>
    </item>
  </channel>
</rss>

