Features Introduced in Traps Agent 6.1

Describes the new features introduced in Traps agent 6.1 releases.
The following topics describe the new features introduced in Traps agent 6.1 releases.
For additional information on how to use the new features in this release, refer to the Traps Agent 6.1 Administrator’s Guide.

Features Introduced in Traps Agent 6.1.1

No new features were introduced in Traps agent 6.1.1 release.

Features Introduced in Traps Agent 6.1.0

The following table describes the new features introduced in Traps agent 6.1.0 release.
Data Collection for Mac and Linux Endpoints
Traps now extends EDR data collection capabilities to Mac and Linux endpoints. When enabled to do so, Traps uploads endpoint activity data to the Data Lake. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack and the endpoints that were involved.
When you enable Traps to
Monitor and collect endpoint events
in your Agent Settings profile, you must also allocate log storage for Endpoint Data in your Cortex Data Lake instance.
New Response Capabilities for Mac and Linux Endpoints
To take immediate action when a security event occurs on a Mac endpoint or Linux server, you can now initiate the following response actions:
  • Terminate Process
    —Terminate the suspicious process on the endpoint. This option is available from security events for which the action is
    and allows you to issue a remote request to the endpoint to terminate the process.
  • Quarantine
    —If Traps has reported malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. Quarantine isn't enabled for security events that originated from network drives or containers.
You can review the status of the response actions both from the security event and from the
Actions Tracker
Behavioral Threat Protection for Mac and Linux Endpoints
Traps now extends Behavioral Threat Protection to protect Mac endpoints and Linux servers. This enables Traps to monitor endpoint activity to identify and analyze chains of events—known as causality chains—instead of only evaluating a single event on its own. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
Enhanced Investigation with Live Terminal
If an event requires further investigation, you can now initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
New Response Capability for Windows Endpoints
You can now initiate a response action to retrieve files from Windows endpoints. You can retrieve up to 20 files in a security event (and up to 200MB total), or you can retrieve a file by supplying the file path. You can also retrieve files from one or more endpoints at a time. Traps management service retains retrieved files for up to one week. To track the status of a file retrieval action, you can view the action from the
Actions Tracker
Windows Data Collection Enhancements
To provide additional context during an investigation, Traps now collects the following additional activity information on the endpoint:
  • File—Symbolic-links, hard-links and reparse points
  • File—File times and DACL modifications
  • Signature and MD5/SHA2 hash calculation on DLL load events
  • Network—Resolve hostnames on local network
  • User presence
Traps can leverage this endpoint activity data to detect malicious causality chains. Traps management service can also share this information with Cortex apps to aid with event investigation.
Extended Ransomware Protection Coverage on Windows Endpoints
Traps extends Ransomware Protection on Windows endpoints to also protect you from ransomware behavior that Traps detects in network folders. The network folders are not configurable but are determined by Palo Alto Networks threat researchers and delivered with content updates in the form of Ransomware Protection rules.
New Windows Operating System Version Support
You can now install Traps on Windows 10 RS6. For complete compatibility information, see the Palo Alto Networks Compatibility Matrix
Compliant Mode for Mac Endpoints
Traps can now provide continuous protection through major operating system (OS) upgrades on Mac endpoints. In compliant mode, Traps automatically but temporarily disables any features or modules affected by the OS change (such as exploit protection modules) that would cause Traps to operate in an incompatible state. In compliant mode, the agent remains active and connected to Traps management service. After Palo Alto Networks tests all features and modules on new OS, Traps management service automatically instructs the agent to activate modules or features that were previously disabled in compliant mode (taking into account the Traps security policy). If Palo Alto Networks determines a capability or feature is not compatible with the new OS, the agent can operate in compliant mode until a subsequent agent release is available for upgrade and full support of the new OS.
Blacklisted Signers
Traps now includes a pre-defined list of blacklisted processes by signer with the default Malware Security policy. When a process signed by a blacklisted signer tries to run, Traps now blocks its execution and raises a security event. Blacklisted signers are defined by Palo Alto Networks and changes to the default list can be delivered with content updates. If necessary, you can create an exception from a security event to remove a process from the blacklist. To disable blacklisted signers, contact Support.

Related Documentation