Read about the Traps updates for April - TMS and Agent. New features have been added for Traps management service (TMS) and Traps agent 6.0.1. New features to Traps include Extended On-Demand Quarantine Support, Quarantine Visibility Enhancements, Action Initiator Tracking, and much more!
Hello everyone, Traps is an integral part of the cybersecurity puzzle to keep your endpoints secure, and when there are new features, we want to make sure you are aware of them.
We are all about Traps updates today, which means we'll be covering new features for the following two products:
Traps Management Service (TMS)
Traps Agent 6.0.1
*Let’s start off with the what's been added to Traps management service (TMS) for April:
Extended On-Demand Quarantine Support
Traps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from FilesQuarantine.
Multiple file names—Instead of displaying only the first reported file name for a quarantined file, Traps management service now indicates files with Multiple names on FilesQuarantine. Otherwise, if all reported files have the same name, the Quarantine displays the unique File Name. To view the quarantined file name and location on each endpoint, select the hash to open the details view.
Quarantine initiator—You can now view the user or service that initiated a quarantine action in the Quarantined By field of FilesQuarantine. This field can reflect Traps Agent Policy when the security policy triggers the quarantine action or the username and service who initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
Hash visibility for source and quarantined files—From the security event details, you can now distinguish between the source, target, and quarantined file. In the case of macros, the security event shows the hash associated with the DOCUMENT and the hash and verdict associated with the MACRO.
Security events by quarantined file—You can now filter security events by the Process/File Name of a quarantined file. This can be useful to help locate events where the source file was not the quarantined file (for example with behavioral threat events or malicious DLLs).
Logs by Custom Timeframes
To help you quickly find server or endpoint logs that occurred during a specific time period, the Timeframe filter has been enhanced to allow you to define Custom date ranges, dates, and times.
Action Initiator Tracking
The Actions Tracker now indicates the user and service that initiated an action in the Created By field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy.
Security Events by Event Type
To help you quickly find specific types of security events, you can now filter by Event Type. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also Search for a full or partial event type.
For all of the newly added Traps agent features as well as changes in default behavior, software and content versions, limitations and known and addressed issues, please see Traps agent release notes here: