https://live.paloaltonetworks.com/t5/general-topics/about-threatid-action/m-p/1248113#M125995 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/236">@hitachisas</a>&nbsp;<BR /><BR /></P> <P data-start="0" data-end="236">The default action for each Threat ID is determined by the <SPAN class="hover:entity-accent entity-underline inline cursor-pointer align-baseline"><SPAN class="whitespace-normal">Palo Alto Networks</SPAN></SPAN> Threat Research team based on their internal evaluation criteria and several metrics. These criteria include the type of vulnerability, its impact, and its severity.<BR /><BR /></P> <P data-start="238" data-end="605">In some cases, you may see Threat IDs with <STRONG data-start="281" data-end="289">High</STRONG> or <STRONG data-start="293" data-end="305">Critical</STRONG> severity set to <STRONG data-start="322" data-end="333">“Alert”</STRONG> as the default action. This is common for newly released threats, such as new CVEs or signatures. They are initially set to <STRONG data-start="458" data-end="469">“Alert”</STRONG>&nbsp;for monitoring and observation. In later updates, the default action may be changed to <STRONG data-start="562" data-end="573">“Reset”</STRONG> or <STRONG>"BLOCK</STRONG>" action if needed.<BR /><BR /></P> <P data-start="607" data-end="805">You can review Threat ID details, including severity and default actions, directly on the firewall (ensure the latest Threat content update is installed) or on <A href="https://threatvault.paloaltonetworks.com/" target="_self"><SPAN class="hover:entity-accent entity-underline inline cursor-pointer align-baseline"><SPAN class="whitespace-normal">ThreatVault</SPAN></SPAN></A><BR /><BR /></P> <P data-start="807" data-end="925" data-is-last-node="" data-is-only-node="">If required, you can manually override the default action and set a specific Threat ID to <STRONG data-start="898" data-end="909">“Block”</STRONG> or <STRONG data-start="913" data-end="925" data-is-last-node="">“Reset.”&nbsp;</STRONG><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3UCAS&amp;lang=en_US%E2%80%A9" target="_self">This</A> reference article will help you on it.<BR /><BR />Hope it helps!</P> Fri, 13 Feb 2026 08:32:26 GMT SutareMayur 2026-02-13T08:32:26Z https://live.paloaltonetworks.com/t5/general-topics/about-threatid-action/m-p/1248086#M125993 <P>The followin theatID action is "Alert".<BR />Would you tell me the reason why action is default set to "Alert"?<BR />Would you tell me if there is policy for the default action?</P> <P>&nbsp;</P> <P>30941<BR />31684<BR />31971<BR />32351<BR />34321<BR />34757<BR />36415<BR />39154<BR />39909<BR />54465<BR />54801<BR />59055<BR />85253<BR />86646<BR />90166<BR />93719</P> <P>&nbsp;</P> <P>Best Regards,<BR />Atsushi Takara</P> Fri, 13 Feb 2026 04:52:37 GMT https://live.paloaltonetworks.com/t5/general-topics/about-threatid-action/m-p/1248086#M125993 hitachisas 2026-02-13T04:52:37Z https://live.paloaltonetworks.com/t5/general-topics/about-threatid-action/m-p/1248113#M125995 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/236">@hitachisas</a>&nbsp;<BR /><BR /></P> <P data-start="0" data-end="236">The default action for each Threat ID is determined by the <SPAN class="hover:entity-accent entity-underline inline cursor-pointer align-baseline"><SPAN class="whitespace-normal">Palo Alto Networks</SPAN></SPAN> Threat Research team based on their internal evaluation criteria and several metrics. These criteria include the type of vulnerability, its impact, and its severity.<BR /><BR /></P> <P data-start="238" data-end="605">In some cases, you may see Threat IDs with <STRONG data-start="281" data-end="289">High</STRONG> or <STRONG data-start="293" data-end="305">Critical</STRONG> severity set to <STRONG data-start="322" data-end="333">“Alert”</STRONG> as the default action. This is common for newly released threats, such as new CVEs or signatures. They are initially set to <STRONG data-start="458" data-end="469">“Alert”</STRONG>&nbsp;for monitoring and observation. In later updates, the default action may be changed to <STRONG data-start="562" data-end="573">“Reset”</STRONG> or <STRONG>"BLOCK</STRONG>" action if needed.<BR /><BR /></P> <P data-start="607" data-end="805">You can review Threat ID details, including severity and default actions, directly on the firewall (ensure the latest Threat content update is installed) or on <A href="https://threatvault.paloaltonetworks.com/" target="_self"><SPAN class="hover:entity-accent entity-underline inline cursor-pointer align-baseline"><SPAN class="whitespace-normal">ThreatVault</SPAN></SPAN></A><BR /><BR /></P> <P data-start="807" data-end="925" data-is-last-node="" data-is-only-node="">If required, you can manually override the default action and set a specific Threat ID to <STRONG data-start="898" data-end="909">“Block”</STRONG> or <STRONG data-start="913" data-end="925" data-is-last-node="">“Reset.”&nbsp;</STRONG><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3UCAS&amp;lang=en_US%E2%80%A9" target="_self">This</A> reference article will help you on it.<BR /><BR />Hope it helps!</P> Fri, 13 Feb 2026 08:32:26 GMT https://live.paloaltonetworks.com/t5/general-topics/about-threatid-action/m-p/1248113#M125995 SutareMayur 2026-02-13T08:32:26Z https://live.paloaltonetworks.com/t5/general-topics/about-threatid-action/m-p/1248132#M125996 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/236">@hitachisas</a>&nbsp;,</P> <P>&nbsp;</P> <P data-start="124" data-end="314">The default action for each Threat ID (such as those listed) is defined by Palo Alto Networks when the signature is released. In many cases, the initial default action is set to “Alert”.</P> <P data-start="124" data-end="314">&nbsp;</P> <P data-start="316" data-end="352">There are two main reasons for this:&nbsp;</P> <P data-start="316" data-end="352">&nbsp;</P> <OL data-start="354" data-end="801"> <LI data-start="354" data-end="598"> <P data-start="357" data-end="598">New or recently released signatures are often set to <EM data-start="414" data-end="421">Alert</EM> first. This allows monitoring in real-world environments before enforcing a blocking action, helping to reduce the risk of false positives that could impact production traffic.</P> </LI> <LI data-start="600" data-end="801"> <P data-start="603" data-end="801">Confidence and behavioral impact considerations. Some signatures, especially those that may trigger on legitimate traffic patterns, remain set to <EM data-start="751" data-end="758">Alert</EM> by default to avoid unintended disruption.</P> </LI> </OL> <P>&nbsp;</P> <P data-start="803" data-end="1008">There is no separate configurable “policy” that controls why a signature defaults to Alert. The default action is determined internally by Palo Alto Networks based on research, testing, and telemetry data.</P> <P data-start="803" data-end="1008">&nbsp;</P> <P data-start="1010" data-end="1322">That said... you can override the default behavior in your Security Profile (Vulnerability Protection or Anti-Spyware) if your security policy requires stricter enforcement. Many customers choose to set actions such as <EM data-start="1227" data-end="1239">reset-both</EM> or <EM data-start="1243" data-end="1249">drop</EM> for medium/high/critical severity threats based on their risk tolerance.&nbsp;</P> Fri, 13 Feb 2026 12:57:17 GMT https://live.paloaltonetworks.com/t5/general-topics/about-threatid-action/m-p/1248132#M125996 JayGolf 2026-02-13T12:57:17Z