Assess Security Events

Traps management service ranks all events in order of severity so you can quickly see the most important events when you log in to Traps management service. You can then drill down in to the security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases, you may determine that a security event does not pose a real threat and can create an exception for it. Use the following workflow to drill down in to a security event and assess whether it poses a security threat.
  1. From Traps management service, select
    Security
    Security Events
    .
    tms-security-events.png
  2. Filter the security events.
    By default, Traps management service applies the
    Last 30 days
    filter to display only security events that occurred during the last 30 days. Traps management service also pins the
    Severity
    filter to the top of the Security Events page to allow you to narrow the results by severity. You can apply additional custom filters from the
    Filters
    menu at the top of the
    Security Events
    page. You can also pin ( filter-pin-icon.png ) any filters you want to persist the next time you return to the
    Security Events
    page.
    When you supply more than one filter, Traps management service displays only security events that match
    all
    the specified criteria. You can change the time period and filter security events using the following additional attributes:
    Filters that accept text do not accept wildcards and are case insensitive.
    • Time period—Filters security events that match a predefined or custom period of time. To change the time period to something other than the default
      Last 30 days
      , select an alternate time period from the drop down:
      Last 24 hours
      ,
      Last 7 days
      , or
      Last 3 Months
      . You can also define a
      Custom
      date or date range.
    • Endpoint ID
      —Filters security events that occur on endpoints matching the full endpoint ID that you specify. This ID is assigned by Traps to identify the endpoint.
    • Endpoint Name
      —Filters security events that occur on endpoints matching a full or partial endpoint hostname or alias.
      If the name of the endpoint changes, Traps management service automatically updates the name associated with the security event to use the new name, but preserves the original endpoint name in the details view of the event. To search for events for a renamed endpoint, use the current endpoint name as match criteria.
    • Event Type
      —Filters security events by one or more selected event types (for example Behavioral Threat or WildFire Malware).
    • Platform
      —Filters security events that occur on endpoints by one or more operating system types.
    • Process/File Name
      —Filters security events that match a full or partial process or file name.
    • SHA256
      —Filters security events that match a full SHA256 hash value.
    • Status
      —Filters security events by the status that you select (one or more). This can be helpful to filter security events that are new or are currently under investigation.
    • User
      —Filters security events by a specific endpoint username.
  3. To drill down in to additional Security Event Details, select the
    Event
    name.
    This detailed view provides context around the event and provides information you can use to help you assess whether the security event is a valid threat.
    Additionally, you can further analyze the security event details in Cortex XDR to identify the root cause and timeline of events. To use integrated security event analysis with Cortex XDR, you must have a valid Cortex XDR license and enable the
    Monitor and collect enhanced endpoint data
    capability in an Agent Settings profile.
    analyze-event-in-cortex.png
  4. While you are investigating a security event, consider changing the event
    STATUS
    ( edit-icon-security-event.png ) to
    Investigating
    .
    tms-security-event-status.png
    To set the status for multiple events in bulk, select the security events in the table view, select the change status icon from the action menu that appears at the top of the security events table, and then choose the desired status.
    tms-security-events-status-change.png
    After you set the status for one or more security events, you can easily filter the
    Security Events
    dashboard by the events you are currently assessing.
  5. If the threat violated a Malware policy rule, you can also view information about the hash and the associated WildFire Analysis Report to learn about the malicious behavior that WildFire observed.
    You can then use this information to help you remediate the malware on your endpoints to prevent it from propagating. If you disagree with a WildFire verdict, you can submit a report to Palo Alto Networks describing why you believe the verdict is incorrect. For more information, see Review WildFire Analysis Details.
  6. Retrieve data from the endpoint.
    1. From the details view of a security event,
      Actions
      Retrieve Data
      . Traps management service also provides additional analysis of the memory contents when an exploit security event occurs. To retrieve data and begin analysis, select
      Retrieve and Analyze Security Event Data
      . After Traps management service receives the security event data and begins analysis, you can monitor the progress on the
      Analysis
      tab.
      tms-security-event-retrieve-data.png
    2. Confirm the action to
      Retrieve
      data.
      Traps management service displays the status of the data retrieval request in the Details of the security event.
      tms-security-event-data-retrieval-status.png
      You can also go to
      Actions Tracker
      to view all data collected from Traps agents. See Monitor Administrative Actions.
    3. After the Traps agent uploads the data to Traps management service, you can download it to further assess and understand the activity associated with the event.
      To view additional details about an endpoint including the policy applied on the endpoint, see Manage Registered Endpoints.
  7. (
    Windows, Mac, and Linux only
    ) Take additional action to halt potential damage on an endpoint.
    The Response Actions that are available for the event vary depending on the security event type and are displayed on the
    Actions
    menu for the security event.
  8. To help track your progress as you analyze a security event:
    1. Enter or view
      Comments
      for the event.
    2. View the change
      History
      for a security event.
  9. (
    Optional
    ) If after reviewing the details about a security event you want to grant an exception to the security policy that triggered the event, Create a Policy Exception.
    To configure an exception for an event triggered by your exploit policy, configure a Process Exception. To configure an exception for an event triggered by your malware policy, configure a Hash Exception. Exceptions are not available for restriction policy rules.
  10. After you complete your investigation, change the
    STATUS
    of the security events to
    Closed
    to indicate to other administrators that no additional assessment is required.
    tms-security-events-status-change.png
    The Traps management service filters out closed events from the default view of the
    Security Events
    page. To include closed events in results, select the
    Status: Closed
    search filter.

Related Documentation