Features Introduced in Traps Agent 6.1
Describes the new features introduced in Traps agent 6.1 releases.
The following topics describe the new features introduced in Traps agent 6.1 releases.
For additional information on how to use the new features in this release, refer to the Traps Agent 6.1 Administrator’s Guide.
Features Introduced in Traps Agent 6.1.1
No new features were introduced in Traps agent 6.1.1 release.
Features Introduced in Traps Agent 6.1.0
The following table describes the new features introduced in Traps agent 6.1.0 release.
Data Collection for Mac and Linux Endpoints
Traps now extends EDR data collection capabilities to Mac and Linux endpoints. When enabled to do so, Traps uploads endpoint activity data to the Data Lake. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack and the endpoints that were involved.
When you enable Traps to
Monitor and collect endpoint eventsin your Agent Settings profile, you must also allocate log storage for Endpoint Data in your Cortex Data Lake instance.
New Response Capabilities for Mac and Linux Endpoints
To take immediate action when a security event occurs on a Mac endpoint or Linux server, you can now initiate the following response actions:
You can review the status of the response actions both from the security event and from the
Behavioral Threat Protection for Mac and Linux Endpoints
Traps now extends Behavioral Threat Protection to protect Mac endpoints and Linux servers. This enables Traps to monitor endpoint activity to identify and analyze chains of events—known as causality chains—instead of only evaluating a single event on its own. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
Enhanced Investigation with Live Terminal
If an event requires further investigation, you can now initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
New Response Capability for Windows Endpoints
You can now initiate a response action to retrieve files from Windows endpoints. You can retrieve up to 20 files in a security event (and up to 200MB total), or you can retrieve a file by supplying the file path. You can also retrieve files from one or more endpoints at a time. Traps management service retains retrieved files for up to one week. To track the status of a file retrieval action, you can view the action from the
Windows Data Collection Enhancements
To provide additional context during an investigation, Traps now collects the following additional activity information on the endpoint:
Extended Ransomware Protection Coverage on Windows Endpoints
Traps extends Ransomware Protection on Windows endpoints to also protect you from ransomware behavior that Traps detects in network folders. The network folders are not configurable but are determined by Palo Alto Networks threat researchers and delivered with content updates in the form of Ransomware Protection rules.
New Windows Operating System Version Support
You can now install Traps on Windows 10 RS6. For complete compatibility information, see the Palo Alto Networks Compatibility Matrix
Compliant Mode for Mac Endpoints
Traps can now provide continuous protection through major operating system (OS) upgrades on Mac endpoints. In compliant mode, Traps automatically but temporarily disables any features or modules affected by the OS change (such as exploit protection modules) that would cause Traps to operate in an incompatible state. In compliant mode, the agent remains active and connected to Traps management service. After Palo Alto Networks tests all features and modules on new OS, Traps management service automatically instructs the agent to activate modules or features that were previously disabled in compliant mode (taking into account the Traps security policy). If Palo Alto Networks determines a capability or feature is not compatible with the new OS, the agent can operate in compliant mode until a subsequent agent release is available for upgrade and full support of the new OS.
Traps now includes a pre-defined list of blacklisted processes by signer with the default Malware Security policy. When a process signed by a blacklisted signer tries to run, Traps now blocks its execution and raises a security event. Blacklisted signers are defined by Palo Alto Networks and changes to the default list can be delivered with content updates. If necessary, you can create an exception from a security event to remove a process from the blacklist. To disable blacklisted signers, contact Support.
Traps Agent Release Information
Traps Agent Release Information Features Introduced in Traps Agent 6.1 Describes the new features introduced in Traps agent 6.1 releases. Changes to Default Behavior Changes ...
Traps Agent 6.1 for Linux
Traps Agent 6.1 for Linux The Traps™ agent protects Linux servers by preventing known and unknown malware from running by halting any attempts to leverage ...
Traps Agent 6.1 for Windows
To uninstall, use, and upgrade the Traps agent 6.1 on Windows endpoints, see the references in this topic. ...
Use the Traps Agent for Windows
Use the Traps console to view the agent status, initiate a connection to the server, view and send logs, view security events that occurred on ...
Traps Agent 6.1 for Mac
Traps Agent 6.1 for Mac The Traps agent protects Mac endpoints by preventing known and unknown malware from running and halting attempts to leverage software ...
Troubleshooting Resources for the Traps Agent for Windows
Use the resources in this topic to troubleshoot the Traps agent 6.1 on Windows endpoints. ...
Install the Traps Agent for Linux
Install the Traps Agent for Linux Traps for Linux is designed to protect Linux servers and operates transparently in the background as a system process. ...