Palo Alto Networks Content Update (version 8969)

Palo Alto Networks Content Update (version 8969) informs about upcoming changes to application and threat identification features in their security products.

Key points include:

• Introduction of Threat Signature Indicators (TSIDs): Palo Alto Networks will continue to introduce new and modified App-IDs as TSIDs, allowing users to prepare before they are fully activated in later content updates.
• Upcoming Activations (May 20, 2025): Several new functional App-IDs, previously introduced as TSIDs, will be activated for:
  • Jira (SSL decryption required)
  • Microsoft Teams (SSL decryption required)
  • National Transportation Communications for Intelligent Transportation System (ITS) Protocol (NTCIP)
• New TSIDs and Future Activation (June 17, 2025): New TSIDs will be introduced for:
  • Microsoft SharePoint Online (activation on June 17, 2025, SSL decryption required)
  • Enhanced Webex joining identification (activation on June 17, 2025, no SSL decryption required)
  • Enhanced Modbus over UDP identification (activation on June 17, 2025, no SSL decryption required)
  • Miracast over Infrastructure Connection Establishment (ms-mice) (activation on June 17, 2025, no SSL decryption required)
  • Enhanced Plex browser streaming traffic identification (activation on June 17, 2025, no SSL decryption required)
  • Enhanced Cortex XDR traffic identification to global-content-profiles-policy.storage.googleapis.com (activation on June 17, 2025, no SSL decryption required)
• dtls App-ID Modifications:
  • The dtls App-ID will become a dependent App-ID for cisco-spark-audio-video and rtp-base in PAN-OS 11.0+ (recommend adding dtls to security policies).
  • New TSIDs for PAN-OS 11.0+ will reduce dtls coverage to fix over-coverage (activation on June 17, 2025).
  • The modified dtls App-ID for detecting DTLS within STUN in PAN-OS 10.2 and earlier will be activated (recommend adding dtls and/or stun to policies allowing related App-IDs).
• Other Changes:
  • Fix for linkedin-mail identification.
  • Enhanced coverage for zscaler-internet-access App-ID (recommend adding to policies if Zscaler is used).
  • Updated category/subcategory for adobe-echosign.
  • Updated risk scores for more SaaS App-IDs.
• Reminders of Previous Updates (April 16, 2025): Activation of Google Compute Engine, Jira, Microsoft Teams, Tableau AI, and Slack App-IDs; expanded coverage for FTP and Ring; updated SaaS App-ID risk scores; and a fix for WildFire Inline ML models in the CLI.
• Decoder and Signature Updates: Includes changes to FTP, HTTP, HTTP2, and MB-8-1 decoders, a new EML file type, and improved detection logic for several vulnerability signatures.
• Region Code Deprecation: The planned deprecation of A1 and A2 region codes is under further research.

In essence, this update provides administrators with advance notice of changes to Palo Alto Networks' application and threat identification capabilities, allowing them to prepare their security policies for these updates to maintain effective traffic control.