Traps Endpoint Security Manager Administrator's Guide
    : Phase 4: Collection of Forensic Data
    Focus
    Focus
    1. Home
    2. Traps
    3. Traps Endpoint Security Manager Administrator's Guide
    4. Forensics
    5. Forensics Overview
    6. Forensics Flow
    7. Phase 4: Collection of Forensic Data

    Traps Endpoint Security Manager Administrator's Guide

    Phase 4: Collection of Forensic Data

    Table of Contents

    Phase 4: Collection of Forensic Data

    After analyzing the files, Traps notifies the ESM about the security event and can send additional forensic data to the forensic folder.
    If your security policy contains a forensic data collection rule, Traps collects one or more specified data types and uploads the file(s) to the forensic folder. Depending on the preferences, Traps can collect URI that were accessed, drivers, files, and relevant DLLs that are loaded in memory under the attacked process, and ancestor processes of the process that triggered the security event. For more information, see Define Forensics Collection Preferences.
    By default, Traps uses a web-based Background Intelligent Transfer Service (BITS) folder that utilizes idle network bandwidth to upload data. For more information, see Change the Default Forensic Folder.
    You can also manually retrieve forensic data for a specific security event by creating a one-time action rule to retrieve the data. For more information, see Retrieve Data About a Security Event. To view the status of the forensic upload select MonitorData Retrieval.

    © 2024 Palo Alto Networks, Inc. All rights reserved.