02-13-2026 04:57 AM
Hi @hitachisas ,
The default action for each Threat ID (such as those listed) is defined by Palo Alto Networks when the signature is released. In many cases, the initial default action is set to “Alert”.
There are two main reasons for this:
New or recently released signatures are often set to Alert first. This allows monitoring in real-world environments before enforcing a blocking action, helping to reduce the risk of false positives that could impact production traffic.
Confidence and behavioral impact considerations. Some signatures, especially those that may trigger on legitimate traffic patterns, remain set to Alert by default to avoid unintended disruption.
There is no separate configurable “policy” that controls why a signature defaults to Alert. The default action is determined internally by Palo Alto Networks based on research, testing, and telemetry data.
That said... you can override the default behavior in your Security Profile (Vulnerability Protection or Anti-Spyware) if your security policy requires stricter enforcement. Many customers choose to set actions such as reset-both or drop for medium/high/critical severity threats based on their risk tolerance.
