We are see numerous alarms from our SIEM from our Palo Alto firewall. Here is a copy of a scrubbed log message below. When asking the user about their activity, they only RDP'ed into various servers from their laptop via the Globalprotect VPN for remote admin work and ran a batch file that re-maps drives. Additionally they noted browsing to \\<dcserver>\netlogon and that it seem to take long to enumerate directory. Also full AV endpoint scans show clean. Is this s false-positive?
|"03 18 2019 09:21:11 10.100.100.5 <USER:WARN> Mar 18 09:21:11 <FWname> 1,2019/03/18 09:21:11,001701011085,THREAT,virus,2049,2019/03/18 09:21:11,192.168.201.217,10.5.5.3,0.0.0.0,0.0.0.0,GPVPN to Inside Always_byApp,<domainname>, <username>,ms-ds-smbv3,vsys1,SSLVPN,Inside,tunnel.99,ethernet1/1,SIEM,2019/03/18 09:21:11,238186,1,51009,445,0,0,0x2000,tcp,drop,"",Virus/Win32.WGeneric.yurld(258226020),any,medium,server-to-client,55139558,0x2000000000000000,192.168.0.0-192.168.255.255,10.0.0.0-10.255.255.255,0,,0,,,0,,,,,,,,0,0,0,0,0,,sc-fw-pan-01,,,,,0,,0,,N/A,pe,Antivirus-2921-3431,0x0,0,4294967295,"|
FP means False Positive.
A False Positive happens when a signature triggers for benign traffic.
For Palo Alto Networks firewalls there are three common types of False Positives.
1) WildFire False Positive: WildFire arrives at an incorrect verdict, assigning a malicious verdict to a benign file. The general resolution is to identify what caused the incorrect verdict, then flip it to Benign.
2) Antivirus Collision with False Positive: This happens when a Benign file triggers a signature that was created for a file that WildFire assigned an incorrect malicious verdict (as described in #1). The reason for this is that the digital patterns that the Palo Alto Networks parses to identify a Malicious sample coincide in those found in the Benign sample. The general resolution is to identify what is the original sample that created the signature and identify what caused the incorrect verdict, then flip it to Benign.
3) Antivirus Collision with True Positive: This happens when a Benign file triggers a signature that was created for a file that WildFire correctly identified as malicious. The reason for this is that the digital patterns that the Palo Alto Networks parses to identify a Malicious sample coincide in those found in the Benign sample. The general resolution for these is to place an Antivirus Exception.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!