Assess Security Events

Traps management service ranks all events in order of severity so you can quickly see the most important events when you log in to Traps management service. You can then drill down in to the security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases, you may determine that a security event does not pose a real threat and can create an exception for it. Use the following workflow to drill down in to a security event and assess whether it poses a security threat.
  1. From Traps management service, select Security Events.
  2. Filter the security events.
    Traps management service displays the filters you can use at the top of the Security Events page. When you supply more than one filter, Traps management service displays only security events that match all the specified criteria.
    Filters that accept text do not accept wildcards and are case insensitive.
    • By time—Select the Timeframe for which you would like to filter security events: Last 24 hours, Last 7 days, Last 30 days, or Last 3 Months.
    • By status—Select the Status for which you would like to filter security events. You can define or change the status for each event when you view additional details about the event.
    • By severity—Traps management service indicates the total number of threats for each severity (high, medium, and low) with links you can use to filter security events by severity. You can also use the Severity drop-down at the top of the page to filter by one or more severities.
    • By platform—Select Platform to filter by operating system.
    • By event type—Select one or more event types by which to filter security events. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also Search for a full or partial name of an event type.
    • By username—Enter a full or partial User to filter security events that occurred when a user was logged in to one or more endpoints. You can also include the user domain in the format domain\username to filter security events for a user that belongs to a specific domain.
    • By endpoint name or ID—Enter a complete or partial Endpoint Name in the Search field.
      If the name of the endpoint changes, Traps management service automatically updates the name associated with the security event to use the new name, but preserves the original endpoint name in the details view of the event. To search for events for a renamed endpoint, use the current endpoint name as match criteria.
      To instead search for an endpoint by its unique endpoint ID, select Endpoint ID instead of Endpoint Name and enter the complete ID value. You can identify the endpoint ID—which is assigned by Traps management service—in the details view for an endpoint (for more information, see View Details About an Endpoint).
    • By process or file name—Enter a full or partial Process/File Name to filter security events for a specific file.
    • By event ID—Enter a complete Event ID to filter security events for the unique ID issued to each security event.
  3. To drill down in to additional Security Event Details, select the Event name.
    This detailed view provides context around the event and provides information you can use to help you assess whether the security event is a valid threat.
  4. While you are investigating a security event, consider changing the event STATUS ( edit-icon-security-event.png ) to Investigating.
    To set the status for multiple events in bulk, select the security events in the table view, select the change status icon from the action menu that appears at the top of the security events table, and then choose the desired status.
    After you set the status for one or more security events, you can easily filter the Security Events dashboard by the events you are currently assessing.
  5. If the threat violated a Malware policy rule, you can also view information about the hash and the associated WildFire Analysis Report to learn about the malicious behavior that WildFire observed.
    You can then use this information to help you remediate the malware on your endpoints to prevent it from propagating. If you disagree with a WildFire verdict, you can submit a report to Palo Alto Networks describing why you believe the verdict is incorrect. For more information, see Review WildFire Analysis Details.
  6. Retrieve data from the endpoint.
    1. From the details view of a security event, ActionsRetrieve Data. Traps management service also provides additional analysis of the memory contents when an exploit security event occurs. To retrieve data and begin analysis, select Retrieve and Analyze Security Event Data. After Traps management service receives the security event data and begins analysis, you can monitor the progress on the Analysis tab.
    2. Confirm the action to Retrieve data.
      Traps management service displays the status of the data retrieval request in the Details of the security event.
      You can also go to Actions Tracker to view all data collected from Traps agents. See Monitor Administrative Actions.
    3. After the Traps agent uploads the data to Traps management service, you can download it to further assess and understand the activity associated with the event.
      To view additional details about an endpoint including the policy applied on the endpoint, see Manage Registered Endpoints.
  7. (Windows only) Take additional action to halt potential damage on an endpoint.
    The Response Actions that are available for the event vary depending on the security event type and are displayed on the Actions menu for the security event.
  8. To help track your progress as you analyze a security event:
    1. Enter or view Comments for the event.
    2. View the change History for a security event.
  9. (Optional) If after reviewing the details about a security event you want to grant an exception to the security policy that triggered the event, Create a Policy Exception.
    To configure an exception for an event triggered by your exploit policy, configure a Process Exception. To configure an exception for an event triggered by your malware policy, configure a Hash Exception. Exceptions are not available for restriction policy rules.
  10. After you complete your investigation, change the STATUS of the security events to Closed to indicate to other administrators that no additional assessment is required.
    The Traps management service filters out closed events from the default view of the Security Events page. To include closed events in results, select the Status: Closed search filter.

Related Documentation