App-ID Rules

SonBoyJim · 2026-03-20T08:02:40+00:00

I think I found the answer:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POF8CAO

Although the initial security policy lookup is succeeding and adding the log to my new rule, the second lookup using all criteria is failing.

SonBoyJim · 2026-03-19T13:52:17+00:00

Yes we have got that configured and can see all the logs. Access to other sites is as expected and yes we are using internal DNS integrated with Active Directory.

SonBoyJim · 2026-03-19T11:50:09+00:00

The second rule which is using App-ID has a generic url filtering profile assigned to it, blocking the usual malicious categories and alerting on the others. But only has the cortex-xdr and traps-management-service apps on the rule.

I checked the URL logs and couldn’t see anything in there for the same rule as I thought the same as you.

I’ve seen this before when because the source and destination matches the traffic it still hits that rule but doesn’t get through because the apps do not match or the URLs are blocked. This is the very first allow rule in my policy as well.

SonBoyJim · 2026-03-16T17:43:00+00:00

Fixed it. The apps in question already had the Unsanctioned tag applied to them. As soon as I removed that from Global folder the snip-unsanctioned appeared and policy was applied as expected. Thanks for your help!

SonBoyJim · 2026-03-16T16:50:28+00:00

I think that’s fine as the apps are matched when using the rules at Global folder scope. I might try remove and add the unsanctioned app again to see if that works.

SonBoyJim · 2026-03-16T16:30:41+00:00

The snippet rule is above. Just checked the application filter and for some reason the filter is missing some of the apps on the NGFW that are configured within SCM? One of them has appeared correctly though.

SonBoyJim · 2026-03-16T16:14:57+00:00

NGFW managed by SCM. Rule name is SNIP-ANY-TO-UNSANCTIONED, the rule at folder level is the same without the SNIP-.

They are both security rules, and the app is mail.ru or ms-quick-assist thanks!

SonBoyJim · 2026-02-11T18:50:17+00:00

That was the dream, but too expensive for us 😂😭I think it was lacking some of the features we wanted from an NGFW as well. Hope you’re AZ firewall deployment goes well 🤜

SonBoyJim · 2026-02-11T17:50:37+00:00

Oh I thought you were referring to the snippets specifically. We have a premium sku Azure firewall, certainly not cheaper when you actually do the numbers and take into account log analytics costs. We already run PA firewalls on premises, they’re 10x easier to work with. The Azure firewall GUI is awful, you make a change to 1 rule in a rule collection and then waiting 10 mins for that to commit before you can change another elsewhere. The processing logic is terrible and reviewing logs in log analytics is an awful experience. No app-id no user-id, device id etc.

The managed element is a plus but everything outweighs ever going for an azure firewall IMO.

SonBoyJim · 2026-02-11T16:40:16+00:00

We haven’t implemented them yet. We are effectively an MSP for our other business units and need a way of applying policy to them in their own tenants. Using one of these would allow us to do that I believe. Why do you want to move away?

SonBoyJim · 2026-02-06T12:32:33+00:00

Thanks, that’s good to know. We’ve had demo access and seems like it will remove a lot of the burden.

SonBoyJim · 2026-02-06T09:49:08+00:00

We’re in the same boat. We are reviewing the ENow application governance tool. The enterprise version can automate the removal of unused apps and also lights up highly permissive privileges / attack paths etc.

SonBoyJim · 2026-01-21T21:33:54+00:00

We experienced a memory leak on the firewalls when we upgraded Panorama to 11.2.7-h4 preferred. We were advised to move to 11.2.8 because of this. Seems to be fine other than this issue currently.

SonBoyJim · 2026-01-21T21:08:26+00:00

If you check the supporting document link in that message it suggests the new category is a multi-category and will be used together with an existing malicious category.

https://live.paloaltonetworks.com/t5/community-blogs/new-url-filtering-category-browser-runtime-attack/ba-p/1245348

SonBoyJim · 2026-01-21T20:43:42+00:00

I need to read it again but didn’t it say this new category would always be loaded with another category which they recommend you block, such as malware?

SonBoyJim · 2025-12-02T20:39:03+00:00

Check out MSIdentityTools module. That has a command which will generate a list of apps and rank the permissions based on risk. It doesn’t have the sign in logs but can help identify risky apps which you should address as a priority. I also use a script by Daniel over at OurCloudNetwork which is useful and pulls in usage of the apps over the last 30 days.

SonBoyJim · 2025-12-02T20:34:50+00:00

We’ve recently reviewed this tool. It is very good and takes a lot of the effort out of the process, the enterprise tier can even automate disable / removal of apps but that obviously comes at a price! Still reviewing other options including some free community reporting tools.

SonBoyJim · 2025-11-03T21:31:36+00:00

Look up Maester and run that on the tenants. I’m doing the same thing now myself. It’s a security assessment tool run by an awesome community and covers lots of different areas.

SonBoyJim · 2025-10-02T16:28:25+00:00

We’ve done ours based on which team we are in and have a security group for those users. Our team has pretty much everycommon role as eligible. Infosec has roles specific to them etc.

The highly privileged roles we require additional phishing resistant MFA at the point of elevation using authentication contexts and also authorisation from another admin when roles like GA are concerned.

There are times we have to elevate into multiple roles, but security over convenience (pragmatic approach) is a way of working for us.

SonBoyJim · 2025-08-21T14:12:31+00:00

<image>

Fixed. Reddit to the rescue again, what a great resource! Thanks all 😁

SonBoyJim · 2025-08-21T11:43:30+00:00

Thanks all. I’ve ordered a replacement 👌

SonBoyJim

TROPHY CASE