02-12-2026 08:52 PM
The followin theatID action is "Alert".
Would you tell me the reason why action is default set to "Alert"?
Would you tell me if there is policy for the default action?
30941
31684
31971
32351
34321
34757
36415
39154
39909
54465
54801
59055
85253
86646
90166
93719
Best Regards,
Atsushi Takara
02-13-2026 12:32 AM
Hi @hitachisas
The default action for each Threat ID is determined by the Palo Alto Networks Threat Research team based on their internal evaluation criteria and several metrics. These criteria include the type of vulnerability, its impact, and its severity.
In some cases, you may see Threat IDs with High or Critical severity set to “Alert” as the default action. This is common for newly released threats, such as new CVEs or signatures. They are initially set to “Alert” for monitoring and observation. In later updates, the default action may be changed to “Reset” or "BLOCK" action if needed.
You can review Threat ID details, including severity and default actions, directly on the firewall (ensure the latest Threat content update is installed) or on ThreatVault
If required, you can manually override the default action and set a specific Threat ID to “Block” or “Reset.” This reference article will help you on it.
Hope it helps!
02-13-2026 04:57 AM
Hi @hitachisas ,
The default action for each Threat ID (such as those listed) is defined by Palo Alto Networks when the signature is released. In many cases, the initial default action is set to “Alert”.
There are two main reasons for this:
New or recently released signatures are often set to Alert first. This allows monitoring in real-world environments before enforcing a blocking action, helping to reduce the risk of false positives that could impact production traffic.
Confidence and behavioral impact considerations. Some signatures, especially those that may trigger on legitimate traffic patterns, remain set to Alert by default to avoid unintended disruption.
There is no separate configurable “policy” that controls why a signature defaults to Alert. The default action is determined internally by Palo Alto Networks based on research, testing, and telemetry data.
That said... you can override the default behavior in your Security Profile (Vulnerability Protection or Anti-Spyware) if your security policy requires stricter enforcement. Many customers choose to set actions such as reset-both or drop for medium/high/critical severity threats based on their risk tolerance.
02-13-2026 12:32 AM
Hi @hitachisas
The default action for each Threat ID is determined by the Palo Alto Networks Threat Research team based on their internal evaluation criteria and several metrics. These criteria include the type of vulnerability, its impact, and its severity.
In some cases, you may see Threat IDs with High or Critical severity set to “Alert” as the default action. This is common for newly released threats, such as new CVEs or signatures. They are initially set to “Alert” for monitoring and observation. In later updates, the default action may be changed to “Reset” or "BLOCK" action if needed.
You can review Threat ID details, including severity and default actions, directly on the firewall (ensure the latest Threat content update is installed) or on ThreatVault
If required, you can manually override the default action and set a specific Threat ID to “Block” or “Reset.” This reference article will help you on it.
Hope it helps!
02-13-2026 04:57 AM
Hi @hitachisas ,
The default action for each Threat ID (such as those listed) is defined by Palo Alto Networks when the signature is released. In many cases, the initial default action is set to “Alert”.
There are two main reasons for this:
New or recently released signatures are often set to Alert first. This allows monitoring in real-world environments before enforcing a blocking action, helping to reduce the risk of false positives that could impact production traffic.
Confidence and behavioral impact considerations. Some signatures, especially those that may trigger on legitimate traffic patterns, remain set to Alert by default to avoid unintended disruption.
There is no separate configurable “policy” that controls why a signature defaults to Alert. The default action is determined internally by Palo Alto Networks based on research, testing, and telemetry data.
That said... you can override the default behavior in your Security Profile (Vulnerability Protection or Anti-Spyware) if your security policy requires stricter enforcement. Many customers choose to set actions such as reset-both or drop for medium/high/critical severity threats based on their risk tolerance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
