Understanding Inline Cloud Analysis C2 Detections and False Positives in Cortex XDR

Hi everyone,

I am currently investigating several Cortex XDR incidents that originate from Palo Alto Networks Firewall Security Profiles, specifically detections related to Inline Cloud Analysis, Anti-Spyware C2 classifications.

What I am trying to better understand is why a relatively large amount of legitimate-looking web traffic is being classified as C2 communication and then forwarded into Cortex XDR as incidents.

In some cases, the traffic seems to be related to normal website activity, for example connections to well-known websites such as LinkedIn or embedded third-party services loaded by those sites.

From the Cortex side, I can see the incident, but for proper troubleshooting I need to better understand the original source of the detection on the firewall side, especially the Anti-Spyware profile and Inline Cloud Analysis behavior.

My current assumption is that some modern web traffic patterns may look similar to C2-like behavior, for example:

• embedded JavaScript loading additional content dynamically

• recurring background requests

• small POST requests

• encoded URL parameters

• tracking, analytics, or telemetry endpoints

• communication with third-party domains or CDNs

• WebSocket, long-polling, or beaconing-like behavior

I would like to understand which characteristics typically cause Inline Cloud Analysis to classify traffic as C2 and what others are using to distinguish real C2 activity from false positives in daily operations.

Any practical experience, investigation approach, or recommended fields to look at would be very helpful.

Thanks in advance!

Best Regards,

Tobias