Palo Alto data-sources in Audit may report small amounts of traffic as allowed that Palo Alto reports as blocked by the Pan Security Profile.
This will happen anytime the traffic log records an event without a corresponding event in the threat log. This results in a session recorded with a extremely small amount of traffic. In CloudSOC Audit, the application that was blocked by Palo Alto will appear as allowed, but will only have a few bytes in the session.
Verify that the traffic and treat log are sent to CloudSOC at the same time. Any delay would cause this to happen.
Audit requires both the Traffic and threat logs for a Palo Alto data-source.
The traffic logs tell audit the IP and URL traffic and then the threat log is compared to verify what was actually blocked. Without the corresponding threat log CloudSOC will not be able to determine that the traffic was blocked because a few packets where sent to the service that was blocked as part of the Palo Alto process.
With A PAN Security policy as well as most other Proxy's,CASB detects blocked vs allowed traffic by a security policy with any data size > 0 as traffic sent or received.
In the case of a PAN Security profile a small amount of packets are sent in the traffic logs and then the block is seen by the threat logs.