Community Blog

Traps Updates for April - TMS and Traps Agent

by 2 weeks ago - last edited a week ago by (166 Views)

Read about the Traps updates for April - TMS and Agent. New features have been added for Traps management service (TMS) and Traps agent 6.0.1. New features to Traps include Extended On-Demand Quarantine Support, Quarantine Visibility Enhancements, Action Initiator Tracking, and much more!

PAN graphic stating Traps Updates for April - MS and Traps Agent

 

Hello everyone, Traps is an integral part of the cybersecurity puzzle to keep your endpoints secure, and when there are new features, we want to make sure you are aware of them.

 

We are all about Traps updates today, which means we'll be covering new features for the following two products:

  • Traps Management Service (TMS) 
  • Traps Agent 6.0.1 

 

*Let’s start off with the what's been added to Traps management service (TMS) for April: 

FEATURE DESCRIPTION

Extended On-Demand Quarantine Support

Traps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from FilesQuarantine.

Quarantine Visibility Enhancements

For increased visibility and management of quarantined files, the following enhancements were made:

  • Multiple file names—Instead of displaying only the first reported file name for a quarantined file, Traps management service now indicates files with Multiple names on FilesQuarantine. Otherwise, if all reported files have the same name, the Quarantine displays the unique File Name. To view the quarantined file name and location on each endpoint, select the hash to open the details view.
  • Quarantine initiator—You can now view the user or service that initiated a quarantine action in the Quarantined By field of FilesQuarantine. This field can reflect Traps Agent Policy when the security policy triggers the quarantine action or the username and service who initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
  • Hash visibility for source and quarantined files—From the security event details, you can now distinguish between the source, target, and quarantined file. In the case of macros, the security event shows the hash associated with the DOCUMENT and the hash and verdict associated with the MACRO.
  • Security events by quarantined file—You can now filter security events by the Process/File Name of a quarantined file. This can be useful to help locate events where the source file was not the quarantined file (for example with behavioral threat events or malicious DLLs).

Logs by Custom Timeframes

To help you quickly find server or endpoint logs that occurred during a specific time period, the Timeframe filter has been enhanced to allow you to define Custom date ranges, dates, and times.
Screenshot of Logs custom timeframe

Action Initiator Tracking

The Actions Tracker now indicates the user and service that initiated an action in the Created By field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy.

Security Events by Event Type

To help you quickly find specific types of security events, you can now filter by Event Type. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also Search for a full or partial event type.
Screenshot of Security Events by Event Type

 

 

**Traps Agent 6.0.1 New Feature: 

FEATURE DESCRIPTION

Windows Server 2019 Support

You can now install Traps on Windows Server 2019. For complete compatibility information, see Palo Alto Networks Compatibility Matrix.

 

 

More Information:

 

Traps Management Service

For all of the newly added Traps management service features as well as software and content versions, limitations and known issues, please see Traps management service release notes here:

Traps Management Service Release Notes

 

Traps Agent

For all of the newly added Traps agent features as well as changes in default behavior, software and content versions, limitations and known and addressed issues, please see Traps agent release notes here:

Traps Agent 6.0 Release Notes

 

Traps Endpoint Security

If you want to see more information about Traps Endpoint Security, best practices and white papers, please see the Traps page here:

Traps Products Page

 

Sources:

* - Reprinted from the Traps management service release notes:  https://docs.paloaltonetworks.com/traps/tms/traps-management-service-release-notes/traps-management-...

 

** - Reprinted from the Traps Agent release notes: https://docs.paloaltonetworks.com/traps/6-0/traps-agent-release-notes/traps-agent-release-informatio...

 

Thanks for taking time to read my blog.

If you enjoyed this, please hit the Like (thumbs up) button, and don't forget to subscribe to the Live Community blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,

Joe Delio

End of line

Ask Questions Get Answers Join the Live Community
Labels