Assess Security Events
Traps management service ranks all events in order of severity so you can quickly see the most important events when you log in to Traps management service. You can then drill down in to the security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases, you may determine that a security event does not pose a real threat and can create an exception for it. Use the following workflow to drill down in to a security event and assess whether it poses a security threat.
- From Traps management service, select.SecuritySecurity Events
- Filter the security events.By default, Traps management service applies theLast 30 daysfilter to display only security events that occurred during the last 30 days. Traps management service also pins theSeverityfilter to the top of the Security Events page to allow you to narrow the results by severity. You can apply additional custom filters from theFiltersmenu at the top of theSecurity Eventspage. You can also pin ( ) any filters you want to persist the next time you return to theSecurity Eventspage.When you supply more than one filter, Traps management service displays only security events that matchallthe specified criteria. You can change the time period and filter security events using the following additional attributes:Filters that accept text do not accept wildcards and are case insensitive.
- Time period—Filters security events that match a predefined or custom period of time. To change the time period to something other than the defaultLast 30 days, select an alternate time period from the drop down:Last 24 hours,Last 7 days, orLast 3 Months. You can also define aCustomdate or date range.
- Endpoint ID—Filters security events that occur on endpoints matching the full endpoint ID that you specify. This ID is assigned by Traps to identify the endpoint.
- Endpoint Name—Filters security events that occur on endpoints matching a full or partial endpoint hostname or alias.If the name of the endpoint changes, Traps management service automatically updates the name associated with the security event to use the new name, but preserves the original endpoint name in the details view of the event. To search for events for a renamed endpoint, use the current endpoint name as match criteria.
- Event Type—Filters security events by one or more selected event types (for example Behavioral Threat or WildFire Malware).
- Platform—Filters security events that occur on endpoints by one or more operating system types.
- Process/File Name—Filters security events that match a full or partial process or file name.
- SHA256—Filters security events that match a full SHA256 hash value.
- Status—Filters security events by the status that you select (one or more). This can be helpful to filter security events that are new or are currently under investigation.
- User—Filters security events by a specific endpoint username.
- To drill down in to additional Security Event Details, select theEventname.This detailed view provides context around the event and provides information you can use to help you assess whether the security event is a valid threat.Additionally, you can further analyze the security event details in Cortex XDR to identify the root cause and timeline of events. To use integrated security event analysis with Cortex XDR, you must have a valid Cortex XDR license and enable theMonitor and collect enhanced endpoint datacapability in an Agent Settings profile.
- While you are investigating a security event, consider changing the eventSTATUS( ) toInvestigating.To set the status for multiple events in bulk, select the security events in the table view, select the change status icon from the action menu that appears at the top of the security events table, and then choose the desired status.After you set the status for one or more security events, you can easily filter theSecurity Eventsdashboard by the events you are currently assessing.
- If the threat violated a Malware policy rule, you can also view information about the hash and the associated WildFire Analysis Report to learn about the malicious behavior that WildFire observed.You can then use this information to help you remediate the malware on your endpoints to prevent it from propagating. If you disagree with a WildFire verdict, you can submit a report to Palo Alto Networks describing why you believe the verdict is incorrect. For more information, see Review WildFire Analysis Details.
- Retrieve data from the endpoint.
- From the details view of a security event,. Traps management service also provides additional analysis of the memory contents when an exploit security event occurs. To retrieve data and begin analysis, selectActionsRetrieve DataRetrieve and Analyze Security Event Data. After Traps management service receives the security event data and begins analysis, you can monitor the progress on theAnalysistab.
- Confirm the action toRetrievedata.Traps management service displays the status of the data retrieval request in the Details of the security event.You can also go toActions Trackerto view all data collected from Traps agents. See Monitor Administrative Actions.
- After the Traps agent uploads the data to Traps management service, you can download it to further assess and understand the activity associated with the event.
- (Windows, Mac, and Linux only) Take additional action to halt potential damage on an endpoint.
- To help track your progress as you analyze a security event:
- Enter or viewCommentsfor the event.
- View the changeHistoryfor a security event.
- (Optional) If after reviewing the details about a security event you want to grant an exception to the security policy that triggered the event, Create a Policy Exception.To configure an exception for an event triggered by your exploit policy, configure a Process Exception. To configure an exception for an event triggered by your malware policy, configure a Hash Exception. Exceptions are not available for restriction policy rules.
- After you complete your investigation, change theSTATUSof the security events toClosedto indicate to other administrators that no additional assessment is required.The Traps management service filters out closed events from the default view of theSecurity Eventspage. To include closed events in results, select theStatus: Closedsearch filter.
Recommended For You
Recommended videos not found.