Traps Management Service Updates

Enhanced Verdict Information for Quarantined Files

To help you assess whether to restore a quarantined file, Traps management service now provides a history of verdicts and identifies verdicts from multiple verdict-issuing sources. From the additional details view of the file, you can view the WildFire verdict, local analysis verdict, and hash exception verdict. Each verdict also indicates when the verdict was received or changed: For WildFire verdicts, the time is relative to the change in the WildFire cloud service; for local analysis verdicts, the time is relative to the last time a local analysis event was reported for the file matching the file hash; and for hash exception verdicts, the time is relative to the time the exception was created.

Log Severity Correlation

To provide clarity around the severity of security events when you use the Log Forwarding app to forward logs to an external server that receives syslog messages (or to an email server), the Syslog severity is now synchronized with the trapsSeverity field. Now, when Traps management service sends the two severity fields, the syslog severity now contains the remapped definitions.

The enumeration of the severity field has changed as follows:

·       trapsSeverity (0) Informational now maps to Syslog severity (6) Informational.

·       trapsSeverity (1) Low now maps to Syslog severity (5) Notice.

·       trapsSeverity (2) Medium now maps to Syslog severity (4) Warning.

·       trapsSeverity (3) High now maps to Syslog severity (3) Error.

·       trapsSeverity (4) Critical now maps to Syslog severity (2) Critical.

Unlimited Data Export Capacity

The Traps management service export capacity for security events, endpoints, logs, and other Traps management service records is now increased to enable you to export any desired selection of records. Previously Traps management service limited exported data to 10,000 records regardless of the selection. To help you better monitor actions related to exporting data, you can now track export actions from Actions Tracker. In addition, Traps management service has updated the log message type (to view earlier logs, you can use the now renamed log types with the - Legacy suffix).

Bulk Action Capacity Increases

To streamline management and monitoring of commonly performed bulk actions, you can now initiate a bulk actions for an increased number of endpoints. The capacity change applies to the following bulk actions:

·       Upgrade Traps agents (unlimited)

·       Uninstall Traps agents (unlimited)

·       Scan endpoints (unlimited)

·       Abort endpoint scans (unlimited)

·       Restore files (up to 1,000)

The higher capacity enables you to monitor the status of larger numbers of target endpoints in a single bulk action instead of restricting bulk actions to batches of endpoints and monitoring each batch individually.

URL Migration Notice

In May, Palo Alto Networks migrated to new URLs used for communication with Traps management service. If you configured your Palo Alto Networks firewalls to use the traps-management-service App-ID instead of allowing access to the specific URLs, the migration is seamless. If you allowed direct access to the old URLs, you must enable access to the new URLs to ensure communication with Traps management service components.

Role Management from the hub (formerly Cortex Hub)

To enable you to manage roles for all Cortex apps in a single location, you now manage roles from the hub. Any existing users who were assigned roles in the Customer Support Portal and Traps management service are automatically migrated to the hub. We recommend that you review the Hub Getting Started Guide and the roles assigned to your users following this migration of roles to the hub to determine if any changes are required.

In addition, the Permissions page from which you managed role assignments in Traps management service is now removed.

Extended On-Demand Quarantine Support

Traps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from FilesQuarantine.

Quarantine Visibility Enhancements

For increased visibility and management of quarantined files, the following enhancements were made:

·       Multiple file names—Instead of displaying only the first reported file name for a quarantined file, Traps management service now indicates files with Multiple names on FilesQuarantine. Otherwise, if all reported files have the same name, the Quarantine displays the unique File Name. To view the quarantined file name and location on each endpoint, select the hash to open the details view.

·       Quarantine initiator—You can now view the user or service that initiated a quarantine action in the Quarantined By field of FilesQuarantine. This field can reflect Traps Agent Policy when the security policy triggers the quarantine action or the username and service who initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.

·       Hash visibility for source and quarantined files—From the security event details, you can now distinguish between the source, target, and quarantined file. In the case of macros, the security event shows the hash associated with the DOCUMENT and the hash and verdict associated with the MACRO.

·       Security events by quarantined file—You can now filter security events by the Process/File Name of a quarantined file. This can be useful to help locate events where the source file was not the quarantined file (for example with behavioral threat events or malicious DLLs).

Logs by Custom Timeframes

To help you quickly find server or endpoint logs that occurred during a specific time period, the Timeframe filter has been enhanced to allow you to define Custom date ranges, dates, and times.

Action Initiator Tracking

The Actions Tracker now indicates the user and service that initiated an action in the Created By field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy.

Security Events by Event Type

To help you quickly find specific types of security events, you can now filter by Event Type. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also Search for a full or partial event type.