I tried searching through the community to see if anyone had asked this, but I didn't see anything... Does anyone else get a ton of false positives in correlation events? We're relatively new to Palo, so it may be a config error, but we're seeing TONS of false positives. Mostly triggering as Beacon detection. I can't seem to find a way to tune out the events either.
The overwhelming majority of the events are Windows machines getting updates from SCCM. Palo is seeing these hosts visiting a unclassified domain (internal to our network), and downloading multiple EXEs. I get why that's being flagged as beacon Detection, but is there a way to tune the Correlation Object so that it doesn't flag the SCCM traffic? I don't believe I can reclassify the domain, since it's on our network and isn't public facing...
Anyone have any experience with this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!