12-15-2024 06:59 PM
We seem to get alot of false positives triggered in PRISMA , using the default Security profiles .
Example, "Brute force attacks" from Microsoft outlook clients accessing exchange online , im not even sure who the victim is, and who the threat actor is in that situation . Seems like Microsoft attacking itself , so not sure why PRISMA is blocking it , if we werent using PRISMA, Microsoft seems fine with the traffic .
Another public site , has a bunch of pictures but PRISMA is flagging them as 'HTTP Directory Traversal Request Attempt' , and blocks them , Again not sure if its blocking them on basis that we are attacking that site , or blocking them as they think those pictures are a threat to us . Whats weird is those same pictures are available else where on that site , where they dont trigger ! .
I dont want to submit the site/pictures to have them bypassed , its someone elses content . What i would like is an easy way to exempt false positives directly in the console for sites / content we know are not risks . Hopefully without having to create a new rule for each site.
02-08-2025 06:22 PM
@M.Bathgate wrote:
We seem to get alot of false positives triggered in PRISMA , using the default Security profiles .
Example, "Brute force attacks" from Microsoft outlook clients accessing exchange online , im not even sure who the victim is, and who the threat actor is in that situation . Seems like Microsoft attacking itself , so not sure why PRISMA is blocking it , if we werent using PRISMA, Microsoft seems fine with the traffic .
Another public site , has a bunch of pictures but PRISMA is flagging them as 'HTTP Directory Traversal Request Attempt' , and blocks them , Again not sure if its blocking them on basis that we are attacking that site , or blocking them as they think those pictures are a threat to us . Whats weird is those same pictures are available else where on that site , where they dont trigger ! .
I dont want to submit the site/pictures to have them bypassed , its someone elses content . What i would like is an easy way to exempt false positives directly in the console for sites / content we know are not risks . Hopefully without having to create a new rule for each site.
Hello @M.Bathgate , if you have an account team Paloalto representative, I would recommend to share this feedback with them so they can be review the situation with you and also provide feedback to the relevant product team if any changes is required.
02-10-2025 05:13 PM
Thanks , yes previously mentioned to our PA representative, and cases raised etc .
Response was that we cant exclude from individual sites , but we can exclude from all . Issue is that its only false for the sites you know its false for , applying to all would weaken the security posture . Was expecting to be able to just a tickbox against a entry to say allow for the site / threat combination (which other vendors have) , but alas that doesnt seem an option .
The alerting is basically weaking our security , as given there are 1000's of alerts they are now just auto filed , thus if there was a "real" alert its likly to be missed
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
