Palo Alto data-sources in Audit may report small amounts of traffic as allowed that Palo Alto reports as blocked by the Pan Security Profile. 

This will happen anytime the traffic log records an event without a corresponding event in the threat log. This results in a session recorded with an extremely small amount of traffic. In CloudSOC Audit, the application blocked by Palo Alto will appear as allowed but will only have a few bytes in the session.

Verify that the traffic and threat log are sent to CloudSOC at the same time. Any delay would cause this to happen.

The audit requires both the Traffic and threat logs for a Palo Alto data source.

The traffic logs tell CloudSOC Audit the IP and URL traffic, and then the threat log is compared to verify what was actually blocked. Without the corresponding threat log, CloudSOC cannot determine that the traffic was blocked because a few packets were sent to the blocked service as part of the Palo Alto process.

With A PAN Security policy and most other proxies, CASB detects blocked vs allowed traffic by a security policy with any data size > 0 as traffic sent or received.

In the case of a PAN Security profile, a small number of packets are sent in the traffic logs, and then the block is seen by the threat logs.