Traps Updates for April - TMS and Traps Agent

Extended On-Demand Quarantine Support

Traps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from FilesQuarantine.

Quarantine Visibility Enhancements

For increased visibility and management of quarantined files, the following enhancements were made:

• Multiple file names—Instead of displaying only the first reported file name for a quarantined file, Traps management service now indicates files with Multiple names on FilesQuarantine. Otherwise, if all reported files have the same name, the Quarantine displays the unique File Name. To view the quarantined file name and location on each endpoint, select the hash to open the details view.
• Quarantine initiator—You can now view the user or service that initiated a quarantine action in the Quarantined By field of FilesQuarantine. This field can reflect Traps Agent Policy when the security policy triggers the quarantine action or the username and service who initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
• Hash visibility for source and quarantined files—From the security event details, you can now distinguish between the source, target, and quarantined file. In the case of macros, the security event shows the hash associated with the DOCUMENT and the hash and verdict associated with the MACRO.
• Security events by quarantined file—You can now filter security events by the Process/File Name of a quarantined file. This can be useful to help locate events where the source file was not the quarantined file (for example with behavioral threat events or malicious DLLs).

Logs by Custom Timeframes

To help you quickly find server or endpoint logs that occurred during a specific time period, the Timeframe filter has been enhanced to allow you to define Custom date ranges, dates, and times.

Action Initiator Tracking

The Actions Tracker now indicates the user and service that initiated an action in the Created By field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy.

Security Events by Event Type

To help you quickly find specific types of security events, you can now filter by Event Type. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also Search for a full or partial event type.

Windows Server 2019 Support

You can now install Traps on Windows Server 2019. For complete compatibility information, see Palo Alto Networks Compatibility Matrix.