Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
CEF Format
The following table lists the events in CEF format.
Event | CEF Format |
|---|---|
AccessViolation | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Access
Violation|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] dvc=@Model["AgentIp"]
msg=Access Violation- @Model["TargetName"]: @Model["TargetValue"] |
AgentAuthenticationFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Authentication Failed| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dvc=@Model["AgentIp"] msg=@Model["AgentIp"] authentication failed
- @Model["FailureReason"] |
AgentContentUpdate | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Content Update|Agent| @Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=@Model["host"] received
new content- version @Model["ContentVersion"] |
AgentMigration | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Migration|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dvc=@Model["AgentIp"]
msg=Agent has migrated to Traps cloud services |
AgentPolicyChange | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Policy Changed|Agent| @Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=Policy changed |
AgentPolicyChangesFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Policy Changes failed| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=New Policy Changes
Failed |
ArchivedPreventionsFailure | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Preventions
Archived Failed| System|@Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=Archived preventions failed |
ArchivedPreventions | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Preventions Archived|System|
@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=@Model["totalPreventions"]
preventions been archived |
AutoContentUpdateAvailable | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server
Content Update Available|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=A new Content Update
(version @Model["ContentVersion"]) is Available |
ClientInstall | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Install|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Agent installed |
ClientLicenseInvalid | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Client
License Invalid| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=Invalid license |
ClientLicenseRequest | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Client
License Request| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=New license request |
ClientUninstall | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Uninstall|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Agent uninstalled |
ClientUpgrade | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Upgrade|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Agent upgraded |
CommunicationsCheckWithProxy | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Communications
Check With Proxy|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=Communications check with Proxy on host '@Model["host"]'. Status:
'@Model["message"]' |
ConditionDeleted | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Condition
Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=Condition ID: @Model["id"]
was deleted |
ConditionEdited | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Condition
Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=Condition ID: @Model["id"] was added/changed. |
ConfigurationChange | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Settings
Change|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=@Model["Property"]
has changed from @Model["OldValue"] to @Model["NewValue"]. |
DisabledProtection | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Protection Disabled|Policy|
@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=Protection disabled on all agents |
EPMInitFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|EPM
Init Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] msg=EPM @Model["EPM"]
failed to initialize |
EnabledProtection | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Protection
Enabled|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=Protection restored on all agents |
EsmConfigurationChange | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM
Configuration Change| System|@Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Multi
ESM configurations has changed |
EsmStatusChange | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM
Status Change|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=ESM status changed |
FileUploadFailure | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|File
Upload Failure|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] dhost=@Model["host"] duser=@Model["user"]
fname=@Model["fileName"] msg=File failed to upload |
HashesImport | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Hashes
Import|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] fileHash=@Model["Hash"] msg=@Model["Amount"]
hashes were imported |
Heartbeat | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Heartbeat|Agent| @Model.ExternalSeverity|
rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] dvc=@Model["AgentIp"]
msg=Service is alive |
LicenseExpiration | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License
Expiration|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=@Model["poolName"]
licenses will expire in @Model["days"] days |
LicensePoolAdded | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License
Pool Added|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=A pool of @Model["licenseCount"]
licenses of type @Model["licenseType"] have been added |
LicenseQuantity | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License
Quantity|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=Agent Licenses are
running low |
LicenseRevoked | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License
Revoked|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=Licenses revoked |
LocalAnalysisFeatureExtractionFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|
Local Analysis Extraction Failed|Agent| @Model.ExternalSeverity|
rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs3Label=ContentVersion
cs3=@Model["ContentVersion"] msg=Local Analysis Feature Extraction
Failed |
LocalAnalysisModelUnavailable | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Local
Analysis Model Unavailable|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=Local Analysis Model Unavailable |
LocalAnalysisModuleFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|
Local Analysis Module Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=Add new module into
Local Analysis- Failed |
LocalAnalysisModuleSucceeded | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|
Local Analysis Module Succeeded|Agent| @Model.ExternalSeverity|
rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs4Label=ModuleVersion
cs4=@Model["ModuleVersion"] msg=Add new module into Local Analysis-
Succeeded |
MachineLicenseValidationFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Machine
License Validation Failed|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=License Validation Failed |
NewHash | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|New
Hash Added|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict
cs5=@Model["NewVerdict"] msg=New hash added |
NotificationEvent | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Notification Event|Threat|
@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] deviceProcessName=@Model["ProcessName"]
fileHash=@Model["Hash"] cs3Label=ContentVersion cs3=@Model["ContentVersion"]
dvc=@Model["AgentIp"] msg=New notification event. Prevention Key:
@Model["preventionKey"] |
OneTimeActionComplete | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|One
Time Action Complete| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=One Time Action completed.
Action Type: @Model["ActionType"]. Action ID: @Model["ActionID"] |
OneTimeActionFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|One
Time Action Failed| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=One Time Action failed to
run. Action Type: @Model["ActionType"] |
PostDetectionEvent | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Post
Detection Event|Threat| @Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"]
deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"]
cs3Label=ContentVersion cs3=@Model["ContentVersion"] dvc=@Model["AgentIp"]
msg=New post detection event. Prevention Key: @Model["preventionKey"] |
PreventionEvent | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Prevention
Event|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] deviceProcessName=@Model["ProcessName"]
fileHash=@Model["Hash"] cs3Label=ContentVersion cs3=@Model["ContentVersion"] dvc=@Model["AgentIp"]
msg=New prevention event. Prevention Key: @Model["preventionKey"] |
ProcessCrashed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Process
Crashed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Process @Model["ProcessName"] had crashed |
ProcessDeleted | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Process
Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] deviceProcessName=@Model["Name"] msg=Process
was deleted |
ProcessEdited | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Process
Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] deviceProcessName=@Model.Data.ProcessFilename
msg=Process was added/edited |
ProcessInjectionTimedOut | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Process
Injection Time Out| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=Injection Timeout |
ProvisionalEvent | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Provisional Event|Threat|
@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] deviceProcessName=@Model["ProcessName"]
fileHash=@Model["Hash"] cs3Label=ContentVersion cs3=@Model["ContentVersion"]
dvc=@Model["AgentIp"] msg=New provisional event. Prevention Key:
@Model["preventionKey"] |
PublisherChanged | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Trusted
Signer Changed| Policy|@Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] msg=Hash
@Model["Hash"] trusted signer changed automatically from @Model["OldPublisher"]
to @Model["NewPublisher"] |
QuarantineFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine
Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=File @Model["fileName"] could not be quarantined,
reason: @Model["FailureReason"] |
QuarantineQuotaExceeded | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine
Quota Exceeded | Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"]
was permanently removed from the quarantine folder because quota
was exceeded |
QuarantineSucceeded | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine Succeed|Agent|
@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=File @Model["fileName"] was quarantined
successfully |
ReportingServiceStartFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|
Reporting Service Start Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=Failed listening to
Traps reporting service on @Model["host"]. |
RestoreFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Restore
Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=File @Model["fileName"] could not be restored,
reason: @Model["FailureReason"] |
RestoreSucceeded | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Restore
Succeeded|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=File @Model["fileName"] restored successfully |
RestrictionSettingsEdited | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Restriction
Settings Edited| Config|@Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Restriction Settings
were added/changed |
RoleDeleted | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role
Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=Role @Model["Name"] was deleted |
RoleEdited | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role
Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=Role @Model.Data.Name was added\changed |
RoleStatusChanged | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role
Status Changed|Config| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Role @Model["Name"]
status was changed to @Model["Status"] |
RuleDeleted | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Rule
Deleted|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] cs1Label=Rule cs1=@Model["id"] msg=Rule @Model["id"]:
Deleted |
RuleEdited | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Rule
Edited|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] cs1Label=Rule cs1=@Model.Data.Id msg=Rule @Model.Data.Id:
Edited |
SendingLicenseToClient | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Sending
License To Client| Config|@Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=New
license sent |
ServerContentRevertFailure | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server
Content Revert Failure|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Content version
failed to revert to @Model["ContentVersion"]. Error: @Model["Error"] |
ServerContentRevertSuccess | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server
Content Revert Success|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Content version
was reverted to @Model["ContentVersion"] successfully |
ServerContentUpdateFailure | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server
Content Update Failed|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Content version
failed to update to @Model["ContentVersion"]. Error: @Model["Error"] |
ServerContentUpdateSuccess | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server
Content Update Success|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Content version
was updated to @Model["ContentVersion"] successfully |
ServerHeartbeat | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM
Heartbeat|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=ESM heartbeat |
ServiceAlive | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service
Alive|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Service start |
ServiceStartFailed | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service
Start Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Service start failed |
ServiceStopped | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service
Stopped|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Service stopped |
ServiceWarning | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service
Warning|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"]dvc=@Model["AgentIp"]
msg=Warning- Java sandboxed file access to @Model["TargetValue"] |
SystemShutdown | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|System
Shutdown|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"]
duser=@Model["user"] msg=Service shutdown |
TechSupportFileStatus | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Tech
Support File|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] msg=Tech Support File: Status:@Model["Status"] |
TrapsServiceStatusChange | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Traps
Service Status Change| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=Agent Service Status
Changed: @Model["OldStatus"]-> @Model["NewStatus"] |
UserDeleted | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User
Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=User @Model["Name"] was deleted. |
UserEdited | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User
Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=User @Model.Data.Name was added\changed. |
UserLogin | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User
Login|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] msg=User @Model.Data.Username logged in to
ESM console |
UserStatusChanged | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User
Status Changed|Config| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model["Name"]
status was changed to @Model["Status"] |
VerdictChangeAnyToMalware | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict
Changed Any To Malware|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"]
cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed
to Malware. @Model["OldVerdict"] -> @Model["NewVerdict"] |
VerdictChangeMalwareToAny | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict
Change Malware To Any|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"]
cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed
from Malware. Awaiting to restore: @Model["QuarantineStatus"]. @Model["OldVerdict"]
-> @Model["NewVerdict"] |
VerdictChangeNoconnectionToAny | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict
Change No Connection To Any|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"]
cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed
from No Connection. @Model["OldVerdict"] -> @Model["NewVerdict"] |
VerdictChangeUnknownToAny | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict
Change Unknown To Any|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"]
cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed
from Unknown. @Model["OldVerdict"] -> @Model["NewVerdict"] |
VerdictChangeAwaitingAnalysisToAny | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict
Change Awaiting Analysis To Any|Policy| @Model.ExternalSeverity|
rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"]
cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed
from Awaiting Analysis. @Model["OldVerdict"] -> @Model["NewVerdict"] |
VerdictChange | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Verdict
Changed|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"]
suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict
cs5=@Model["NewVerdict"] msg=Hash verdict changed. @Model["OldVerdict"]
-> @Model["NewVerdict"] |
VerdictManualOverride | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Verdict
Manual Override| Policy|@Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict
cs5=@Model["NewVerdict"] msg=Hash verdict overridden manually. @Model["OldVerdict"]
-> @Model["NewVerdict"] |
VerdictRevertedToWildfire | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict
Reverted To WildFire|Policy| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"]
cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict reverted
to WildFire. @Model["OldVerdict"] -> @Model["NewVerdict"] |
WfCommunicationsStatusChanged | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| WildFire
Communications Status Changed|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=WildFire communications status changed on host '@Model["host"]'.
Status: '@Model["message"] |
InstallationPackage | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Agent
Package Created| System|@Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["OSType"]
Agent Package was @Model["AgentPackageStatus"]. Source file: @Model["SourceFile"].
Package name: @Model["AgentPackageName"] Agent Version: @Model["AgentPackageVersion"] |
IncompatibleOs | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent
Incompatibility Issue| Agent|@Model.ExternalSeverity| rt=@Model["Time"]
dhost=@Model["host"] duser=@Model["user"] msg=Traps is inactive due
to @Model["IncompatibilityReason"] |
RegistrationConflict | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Agent
Registration Conflict Detected|System| @Model.ExternalSeverity|
rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=Agent registration conflict detected on host @Model["host"]
from IP: @Model["RequestIP"]. Saved IP: @Model["AgentIp"] |
EsmCertValidationWarning | @Model["Time"] @Model["EsmIp"]
CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Agent-ESM
Authentication Warning|System| @Model.ExternalSeverity| rt=@Model["Time"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=Agent @Model["host"] couldn't fully authenticate ESM @Model["esmHost"]
using installed certificate. |