Threat Logs Not Generated for App-ID TSID Configuration.
Symptom
After configuring an App-ID TSID (Threat Signature Indicators) and a corresponding Vulnerability Protection profile, no "Threat logs" are generated.
Environment
-
Any PAN-OS, Any Platform
-
App-ID TSIDs (Threat Signature Indicators)
-
Security Policy with a Vulnerability Protection profile applied.
Cause
There are two primary causes for this symptom:
-
Incorrect Policy Configuration: The test traffic is not matching a Security Policy rule that has the correct Vulnerability Protection profile attached. The profile must be configured to "Alert" (or "Block") on the specific TSID signature.
-
TSID Lifecycle Expiration: App-ID TSIDs are temporary by design. They are released in an "Applications and Threats" update (~1 month before the official App-ID) and are removed in the update that releases the official App-ID.
-
Example: The TSID for "
azure-storage-accounts-base" was part of the "Applications and Content" version 9023, which was released on 09/16/25. The official App-ID was released in version 9032, released on 10/21/25, and the TSID was removed at this time. So threat logs were not generated because the TSID had been removed/replaced by the actual App-ID from version 9032.
-
Resolution
-
Verify that the test traffic is matching the intended Security Policy rule.
-
Ensure that the Security Policy rule has a Vulnerability Protection profile attached. (Ref. docs below)
-
In the Vulnerability Protection profile, confirm there is a rule with an action of "Alert" (or "Block") for the specific App-ID TSID signature. (Ref. docs below)
-
Check the "Applications and Threats" content release notes to confirm the App-ID TSID is still active and has not been replaced by the official App-ID.
Additional Information
Application and Threats version 9032, Release notes.
New App-IDs: Azure Storage Accounts.
App-ID Change Threat Signature Indicator (TSID) Announcement.
Enable and Monitor App-ID TSIDs
Manage New and Modified App-IDs