Features Introduced in Traps Agent 6.1

Describes the new features introduced in Traps agent 6.1 releases.
The following topics describe the new features introduced in Traps agent 6.1 releases.
For additional information on how to use the new features in this release, refer to the Traps Agent 6.1 Administrator’s Guide.

Features Introduced in Traps Agent 6.1.2

The following table describes the new features introduced in Traps agent 6.1.2 release.
Feature
Description
macOS 10.15 Support
Traps now supports macOS 10.15. For complete compatibility information, see the Palo Alto Networks Compatibility Matrix.
Due to changes in the security settings of the new macOS version, you must allow full disk access for Traps on your endpoint to enable full protection. Otherwise, if you do not authorize full disk access for Traps, the Traps agent provides only partial protection on the endpoint. For more details, refer to the Traps Agent 6.1 Administrator’s Guide.
To upgrade Traps on macOS 10.15, you must install new Traps versions before upgrading the operating system:
  1. Upgrade the Traps agent to Traps 6.1.2 from Traps management service or using the deployment method of your choice.
  2. Upgrade the endpoint to macOS 10.15.
If you upgraded the operating system before you upgraded the Traps agent, you must uninstall and reinstall the Traps agent on the endpoint either using a third-party deployment tool such as JAMF or manually.
Windows Event Logging Enhancement
Traps adds support for additional Windows Event Log types. For a full list of logs collected by Traps, see Windows Event Logs. To collect Windows Event Logs, you must enable Traps to
Monitor and collect endpoint events
in an Agent Settings profile.
If you also use Cortex XDR you can use the Event Log Query to search for events by event attributes.
Configurable Agent Proxy Settings
In environments where Traps agents communicate with the Traps management service through a system-wide proxy, you can now set an application specific proxy for the Traps agent without affecting the communication of other applications on the endpoint. You can set, manage and disable the Traps agent proxy configuration in the Traps management service.
  • If your agent is communicating directly with the Traps management service, you can assign it a dedicated proxy in the
    Endpoints
    window. Once you choose to disable this proxy, the agent will revert back to communicating directly with Traps management service.
  • If your agent is not connected to Traps management service yet, you must assign the proxy IP address and port number during the Traps agent installation process on the endpoint. For agent installation instructions, see the Traps Agent Administrator’s Guide.
Traps for Restricted Networks
With the Palo Alto Networks Broker Service, you can now deploy Traps in restricted networks where endpoints do not have a direct connection to the internet. The Broker Service acts as a proxy that mediates communication between the endpoints in your restricted network and Traps management service. This enables your Traps agents to receive security policy updates from, and send logs and files to Traps management service without a direct connection. To use the Broker Service, you deploy a Broker VM on your network and configure your Traps agents for communication with the Broker VM instead of the Traps management service.

Features Introduced in Traps Agent 6.1.1

The following table describes the new features introduced in Traps agent 6.1.1 release.
Feature
Description
Windows Event Logging
To provide additional context during an investigation, Traps now collects information about Windows Event Logs including the event level, event ID, message, username, and provider name. To collect Windows Event Logs, you must enable Traps to
Monitor and collect endpoint events
in an Agent Settings profile.
If you also use Cortex XDR you can use the Event Log Query to search for events by event attributes.

Features Introduced in Traps Agent 6.1.0

The following table describes the new features introduced in Traps agent 6.1.0 release.
Feature
Description
Data Collection for Mac and Linux Endpoints
Traps now extends EDR data collection capabilities to Mac and Linux endpoints. When enabled to do so, Traps uploads endpoint activity data to the Data Lake. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack and the endpoints that were involved.
When you enable Traps to
Monitor and collect endpoint events
in your Agent Settings profile, you must also allocate log storage for Endpoint Data in your Cortex Data Lake instance.
New Response Capabilities for Mac and Linux Endpoints
To take immediate action when a security event occurs on a Mac endpoint or Linux server, you can now initiate the following response actions:
  • Terminate Process
    —Terminate the suspicious process on the endpoint. This option is available from security events for which the action is
    Report
    and allows you to issue a remote request to the endpoint to terminate the process.
  • Quarantine
    —If Traps has reported malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. Quarantine isn't enabled for security events that originated from network drives or containers.
You can review the status of the response actions both from the security event and from the
Actions Tracker
.
Behavioral Threat Protection for Mac and Linux Endpoints
Traps now extends Behavioral Threat Protection to protect Mac endpoints and Linux servers. This enables Traps to monitor endpoint activity to identify and analyze chains of events—known as causality chains—instead of only evaluating a single event on its own. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
Enhanced Investigation with Live Terminal
If an event requires further investigation, you can now initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
New Response Capability for Windows Endpoints
You can now initiate a response action to retrieve files from Windows endpoints. You can retrieve up to 20 files in a security event (and up to 200MB total), or you can retrieve a file by supplying the file path. You can also retrieve files from one or more endpoints at a time. Traps management service retains retrieved files for up to one week. To track the status of a file retrieval action, you can view the action from the
Actions Tracker
.
Windows Data Collection Enhancements
Traps can leverage this endpoint activity data to detect malicious causality chains. Traps management service can also share this information with Cortex apps to aid with event investigation.
Extended Ransomware Protection Coverage on Windows Endpoints
Traps extends Ransomware Protection on Windows endpoints to also protect you from ransomware behavior that Traps detects in network folders. The network folders are not configurable but are determined by Palo Alto Networks threat researchers and delivered with content updates in the form of Ransomware Protection rules.
New Windows Operating System Version Support
You can now install Traps on Windows 10 RS6. For complete compatibility information, see the Palo Alto Networks Compatibility Matrix
Compliant Mode for Mac Endpoints
Traps can now provide continuous protection through major operating system (OS) upgrades on Mac endpoints. In compliant mode, Traps automatically but temporarily disables any features or modules affected by the OS change (such as exploit protection modules) that would cause Traps to operate in an incompatible state. In compliant mode, the agent remains active and connected to Traps management service. After Palo Alto Networks tests all features and modules on new OS, Traps management service automatically instructs the agent to activate modules or features that were previously disabled in compliant mode (taking into account the Traps security policy). If Palo Alto Networks determines a capability or feature is not compatible with the new OS, the agent can operate in compliant mode until a subsequent agent release is available for upgrade and full support of the new OS.
Blacklisted Signers
Traps now includes a pre-defined list of blacklisted processes by signer with the default Malware Security policy. When a process signed by a blacklisted signer tries to run, Traps now blocks its execution and raises a security event. Blacklisted signers are defined by Palo Alto Networks and changes to the default list can be delivered with content updates. If necessary, you can create an exception from a security event to remove a process from the blacklist. To disable blacklisted signers, contact Support.

Related Documentation