Report IP false-positive are expected to see unwanted IPS detections at some point. The choice of signatures deployed and the security mode selected will significantly impact the number of IPS false positives seen.
Often it can take time to track down and categorize these types of IPS detections as benign or malicious. In the meantime, it’s a good idea to whitelist the signatures (User-Agent strings or hashes) that you are extremely confident are benign. This will help reduce the occurrence of these IPS false-positives and prevent unnecessary disruption to your traffic.
Clicks
Several things can cause clicks to appear in the reports and not be from a true learner. These can include clicking a link from a mobile device while connected to cellular data, using a public Wi-Fi network and the like. If you do not want these clicks to count in your results then it is best to utilize the Bulk IP Lookup functionality to identify these and whitelist them so that they will no longer be displayed in your Click Report.
It is also a good idea to submit the URL/domain/IP address of the system that is consistently generating these IPS false-positives. This can be done by going to Account Home > Analytics & Logs > Network Analytics and selecting the zone where you are seeing this issue. Once submitted these can be analysed by the Umbrella team to try and understand what is triggering the IPS alerts that are not occurring within your environment.