New Features - Device Security - March 2025

( March 2025 ) Device Security supports using the Site attribute when defining the target devices in the Alert Rule Engine Editor. You can create a new custom alert rule or edit an existing alert rule to use the Site attribute.

( January 2025 ) Device Security adds "Endpoint Protection" and "Profile Change" as options for the Change Event condition when configuring Custom Alerts. The "Profile Change" event happens when a device's profile changes from the "Target Profile" to a different profile.

Device Security supports integrating with Juniper Networks Mist AI to learn about devices and wireless clients from Mist AI . Device Security can retrieve device details from Mist AI and use that information to enrich device information in the Device Security assets inventory. Device Security also creates new devices in the asset inventory for devices learned through the Mist AI integration.

Without AIOps telemetry enabled in PAN-OS, firewall devices in Device Security often display only basic information and lack critical contextual details needed for comprehensive network security management. Integrate Device Security with PAN-OS ® to enhance visibility into your Palo Alto Networks firewall infrastructure when AIOps is not enabled on your firewalls. The integration retrieves and displays essential firewall metadata.

You can configure the integration to connect directly to individual firewalls or through Panorama® management server for centralized management of multiple firewalls. The integration uses Cortex XSOAR ® to establish API connections with your PAN-OS devices and automatically retrieve device information at scheduled intervals. When you deploy this integration, Device Security categorizes your firewall devices as network security equipment. This enhanced visibility helps you better understand your network topology, assess security risks more accurately, and make informed decisions about your firewall infrastructure.

The integration serves as an alternative data collection method for environments that don't use AIOps telemetry for device profiling capabilities. You can schedule recurring jobs, ensuring your firewall information remains current and accurate within Device Security . This solution is particularly valuable when you need complete asset inventory and contextual information for effective threat detection and response in your Device Security environment.

You can now search for interfaces based on their MAC addresses, even when there are multiple MAC addresses for a single interface, or for multi-interface devices. When viewing interface information on a primary device's Device Details page, you can see the MAC addresses of the individual interfaces and the source from which those interfaces were learned.

We improved the Data Quality Diagnostics page to present more robust information on data quality issues, as well as guided workflows on how to improve the data. You can view three breakdowns: Basic Health Check, Low Inventory, and Missing Devices. Each breakdown provides a more granular view into gaps in your network visibility, as well as recommendations for improving visibility and coverage across your network.

Device Security updated the subnet monitoring workflow for networks for a more intuitive experience. When you start or stop monitoring a block, all of its children networks (blocks and subnets) inherit the same monitoring status. You can view the monitoring status of your network in the Networks table.

When you stop monitoring a subnet, Device Security removes all of the devices and IP endpoints associated with that subnet. Device Security also resolves the alerts, and removes the vulnerability instances, associated with the subnet's devices. If you start monitoring the subnet again, Device Security adds the related assets back to the inventory, reopens alerts, and adds back the vulnerability instances.

You can view the telemetry status of your firewalls on the network Firewalls page. To view telemetry status on the Firewalls table, select Telemetry Enabled in the column selector. When you click on an individual firewall, the firewall details pop-up also displays the telemetry status. Firewall telemetry helps Device Security learn additional subnet details, such as VLAN and security zone based on NGFW interface. When enabling telemetry on your firewall, select Device Health and Performance and Product Usage to help Device Security learn subnet details.

When searching the Vulnerabilities Inventory for vulnerabilities using the query builder, you can now search by keyword, such as Apache log4j, or by an advanced persistent threat (APT) associated with the vulnerability. The vulnerability keyword attribute maps to the NVD Title attribute on the Vulnerability Details page.

In the APT column in the vulnerabilities table, Device Security now displays the number of APTs associated with each vulnerability. Click on the APT number to view more information about the APTs.