Assess Security Events
Traps management service ranks all events in order of severity so you can quickly see the most important events when you log in to Traps management service. You can then drill down in to the security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases, you may determine that a security event does not pose a real threat and can create an exception for it. Use the following workflow to drill down in to a security event and assess whether it poses a security threat.
- From Traps management service, select Security Events.
- Filter the security events.Traps management service displays the filters you can use at the top of the Security Events page. When you supply more than one filter, Traps management service displays only security events that match all the specified criteria.Filters that accept text do not accept wildcards and are case insensitive.
- By time—Select the Timeframe for which you would like to filter security events: Last 24 hours, Last 7 days, Last 30 days, or Last 3 Months.
- By status—Select the Status for which you would like to filter security events. You can define or change the status for each event when you view additional details about the event.
- By severity—Traps management service indicates the total number of threats for each severity (high, medium, and low) with links you can use to filter security events by severity. You can also use the Severity drop-down at the top of the page to filter by one or more severities.
- By platform—Select Platform to filter by operating system.
- By event type—Select one or more event types by which to filter security events. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also Search for a full or partial name of an event type.
- By username—Enter a full or partial User to filter security events that occurred when a user was logged in to one or more endpoints. You can also include the user domain in the format domain\username to filter security events for a user that belongs to a specific domain.
- By endpoint name or ID—Enter a complete or partial Endpoint Name in the Search field.If the name of the endpoint changes, Traps management service automatically updates the name associated with the security event to use the new name, but preserves the original endpoint name in the details view of the event. To search for events for a renamed endpoint, use the current endpoint name as match criteria.To instead search for an endpoint by its unique endpoint ID, select Endpoint ID instead of Endpoint Name and enter the complete ID value. You can identify the endpoint ID—which is assigned by Traps management service—in the details view for an endpoint (for more information, see View Details About an Endpoint).
- By process or file name—Enter a full or partial Process/File Name to filter security events for a specific file.
- By event ID—Enter a complete Event ID to filter security events for the unique ID issued to each security event.
- To drill down in to additional Security
Event Details, select the Event name.This detailed view provides context around the event and provides information you can use to help you assess whether the security event is a valid threat.
- While you are investigating a security event, consider
changing the event STATUS (
) to Investigating.To set the status for multiple events in bulk, select the security events in the table view, select the change status icon from the action menu that appears at the top of the security events table, and then choose the desired status.After you set the status for one or more security events, you can easily filter the Security Events dashboard by the events you are currently assessing.
- If the threat violated a Malware policy rule, you can
also view information about the hash and the associated WildFire
Analysis Report to learn about the malicious behavior that WildFire
observed. You can then use this information to help you remediate the malware on your endpoints to prevent it from propagating. If you disagree with a WildFire verdict, you can submit a report to Palo Alto Networks describing why you believe the verdict is incorrect. For more information, see Review WildFire Analysis Details.
- Retrieve data from the endpoint.
- From the details view of a security event, ActionsRetrieve Data. Traps management service also provides additional analysis of the memory contents when an exploit security event occurs. To retrieve data and begin analysis, select Retrieve and Analyze Security Event Data. After Traps management service receives the security event data and begins analysis, you can monitor the progress on the Analysis tab.
- Confirm the action to Retrieve data.Traps management service displays the status of the data retrieval request in the Details of the security event.You can also go to Actions Tracker to view all data collected from Traps agents. See Monitor Administrative Actions.
- After the Traps agent uploads the data to Traps management
service, you can download it to further assess and understand the
activity associated with the event.To view additional details about an endpoint including the policy applied on the endpoint, see Manage Registered Endpoints.
- (Windows only) Take additional action to halt
potential damage on an endpoint.The Response Actions that are available for the event vary depending on the security event type and are displayed on the Actions menu for the security event.
- To help track your progress as you analyze a security
- Enter or view Comments for the event.
- View the change History for a security event.
- (Optional) If after reviewing the details about
a security event you want to grant an exception to the security
policy that triggered the event, Create
a Policy Exception.To configure an exception for an event triggered by your exploit policy, configure a Process Exception. To configure an exception for an event triggered by your malware policy, configure a Hash Exception. Exceptions are not available for restriction policy rules.
- After you complete your investigation, change the STATUS of
the security events to Closed to indicate
to other administrators that no additional assessment is required. The Traps management service filters out closed events from the default view of the Security Events page. To include closed events in results, select the Status: Closed search filter.
Retrieve Logs from an Endpoint
Retrieve Logs from an Endpoint From the details view of an endpoint, you can initiate a request to retrieve all logs from an endpoint. You ...
What is a Security Event?
When the Traps agent identifies an attempt to run a malicious file or process, the agent logs a security event. ...
Features Introduced in 2018
Introducing new features in the Traps management service by month during 2018. ...
Assess and Remediate Security Events
Assess and Remediate Security Events What is a Security Event? When the Traps agent identifies an attempt to run a malicious file or process, the ...
Response Actions After you Assess a Security Event and determine a file or process is malicious, you can take additional action to remediate the endpoint. ...
Features Introduced in 2019
Introducing new features in the Traps management service by month during 2019. ...
Manage Quarantined Files
Manage Quarantined Files When Traps detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When Traps quarantines malware, Traps ...
Scan an Endpoint for Malware
Scan an Endpoint for Malware In addition to blocking the execution of malware, Traps can scan your Windows endpoints and attached removable drives for dormant ...
View Logs from Traps Management Service
View Logs from Traps Management Service You can view the different log types on Traps management service in a tabular format. The logs on Traps ...