Seeing a disparity in behavior observed between the AutoFocus Threat feed for a specific IP and Prisma Cloud Alert

• Multiple alerts were received for instances within cloud accounts communicating with an IP which was added to the Auto Focus threat feed in January.
• Prisma search reveals hundreds of Windows instances communicating with the same IP since mid-November.
• Although Prisma indicates that this IP was added to autofocus in January, you have only started receiving alerts in mid-November.
• The investigation aims to determine whether the IP is erroneously flagged by Prisma or if it indicates a definite breach.

• Prisma Cloud Enterprise Edition
• AutoFocus Palo Alto Networks

The IP address is marked by AutoFocus based on specific criteria. AutoFocus leverages various sources like firewall logs, DNS logs, malware analysis services, and threat feeds to identify IP addresses involved in attacks. This broad range of sources enables AutoFocus to detect addresses at different stages of an attack.

Regarding the timing of the alert generated in mid-November despite the IP being added in January by AutoFocus, there is a specific set of criteria for triggering AutoFocus-based Alerts. Prisma Cloud generates these alerts when it detects accepted traffic to or from an IP address flagged by AutoFocus, with a minimum transfer of at least 10kB within one hour. This minimum byte transfer requirement helps avoid false positive cases, such as when attackers are probing encrypted services like SSL or SSH.

You can prevent alert generation for a specific IP by adding it to the Trusted Anomaly list, To add an IP to the Trusted Anomaly list, navigate to Settings, then Anomalies, and select the Anomaly Trusted List under the IP address category.