What is a Security Event?

When the Traps agent identifies an attempt to run a malicious file or process, the agent logs a security event.
A security event occurs when the Traps agent identifies an attempt to run a malicious file or process. Traps agents report security events when the file or process matches your applied policy rules (either default policy rules or custom rules you define). When the event occurs, Traps applies the action specified in the applied security profile, either blocking the malicious activity, or allowing and reporting the malicious activity. Some examples of events that can trigger a security event include attempts to:
  • Run known malware
  • Run unknown files
  • Leverage bugs or flaws in software for a malicious purpose
The following topics provide more information to help you Assess Security Events:

Security Event Severity Levels

When a security event occurs, Traps logs the event and reports it to Traps management service. The log for each security event identifies the type of event and the specific module Traps applied to the process or file. Traps management service assigns each security event a severity level based on the nature of the event. The following table lists the events in order of Severity (High to Low), then alphabetically by Protection Modules.
Module
Severity
Anti-Ransomware ProtectionHigh
APC ProtectionHigh
Behavioral ThreatHigh
Kernel Privilege Escalation ProtectionHigh
WildFire Post-Detection
(Malware and Grayware)
High
Brute Force ProtectionMedium
Child Process ProtectionMedium
CPL ProtectionMedium
DEPMedium
DLL Hijacking ProtectionMedium
DLL SecurityMedium
Dylib Hijack ProtectionMedium
Exception SysExit CheckMedium
Exploit Kit Fingerprinting ProtectionMedium
Font ProtectionMedium
Gatekeeper EnhancementMedium
Hot Patch ProtectionMedium
JIT MitigationMedium
Local AnalysisMedium
Null Dereference ProtectionMedium
Reverse Shell ProtectionMedium
ROP MitigationMedium
SEH ProtectionMedium
Shellcode ProtectionMedium
ShellLink ProtectionMedium
UASLRMedium
WildFire MalwareMedium
Execution from a Restricted Location - Local PathLow
Execution from a Restricted Location - Network LocationLow
Execution from a Restricted Location - Removable MediaLow
Hash ExceptionLow
WildFire Grayware
(Treat as malware)
Low
WildFire Unknown
(Treat as malware)
Low

Security Event Details

When the Traps agent reports a security event, Traps management service provides a detailed view of the security event that you can use to assess the event and determine if it poses a security threat that requires additional mitigation and remediation. The details for each security event vary depending on the type of event and can describe the process or file that was blocked or reported, the module which triggered the event and the profile from which the module was enabled. These details can include some or all of the following information:
Field
Description
Security Event
SEVERITY
Level of severity associated with the type of event, High, Medium, or Low.
EVENT
Name of the event that occurred.
AGENT LOCAL TIME
Local time on the endpoint when the event occurred.
EVENT ID
Unique event ID.
STATUS
Administrator defined status for the security event. When an event is first reported to Traps management service, the event has a STATUS of New. When you begin to assess the potential threat for a security event, you can set the STATUS to Investigating. This allows you to easily filter the Security Events dashboard for the security events that you are currently assessing. After you complete your investigation, you can change the STATUS to Closed to indicate to other administrators that no additional assessment is required.
AGENT TIME
Coordinated Universal Time (UTC) when the event occurred on the endpoint, adjusted for your local system time.
REPORT TIME
Coordinated Universal Time (UTC) when Traps management service received the security event log, adjusted for your local system time.
Data Retrieval
This displays for malware events only if you attempt to retrieve data from the endpoint.
STATUS
Status of the data retrieval request:
  • Pending when the request for data is initiated from Traps management service.
  • In Progress after the Traps agent receives the request.
  • Failed if the request fails or times out.
When the upload is complete, Traps management service displays a link to Download Retrieved Data.
GENERATION DATE
Date and time the data was requested.
Module
PROFILE TYPE
Type of profile associated with the rule. For details on profile types, see Traps Profiles.
SOURCE PROCESS
Name of the source process or file that triggered the event.
ACTION
Action taken by Traps when the security event occurred: Block the process, file, or activity; or Report the event but do not block it.
MODULE
Module that triggered the event. The supported modules vary by the capabilities supported on each platform. See Protection Modules.
VERDICT
For file-related events, this field displays the verdict assigned to the file by the WildFire or Local Analysis module.
Endpoint: <endpointName>
Additional information about the endpoint.
STATUS
The status of the endpoint as reported on the Endpoints page (Active, Inactive, Zombie, Unauthorized, Unlicensed, Agent Incompatible, or OS Incompatible).
LOGGED ON USER
User that was logged in to the endpoint when the security event occurred.
OS VERSION
Version of the operating system.
CONTENT VERSION
Version of the content update installed with the Traps agent.
ENDPOINT ID
Unique identifier of the endpoint (assigned by Traps management service).
DOMAIN
Domain or workgroup to which the endpoint belongs.
OS NAME
Operating system name and architecture.
AGENT VERSION
Version of the Traps agent.
IP
IPv4 or IPv6 address of the endpoint.
Processes
Additional information about the affected process.
Process
Name of the process. For example, notepad++.exe.
PID
Unique identifier for the running process.
FILE NAME
File name of the process. For example, notepad++.exe.
FULL PATH
Full path for the file. For example, C:\Users\User\Desktop\ROP\notepad++.exe
SIGNER
Signer of the file. For example, Microsoft Corporation.
Files
Information about files accessed by the affected process.
FILE NAME
Name of the file that triggered the event.
FULL PATH
Full path to the file involved in the event.
SHA 256
SHA-256 hash of the file.
Users
USER NAME
User account used to run the process.
USER DOMAIN
Domain or workgroup to which the user belongs.

Analysis Details (for Exploit Security Events)

When Traps reports a security event for a software exploit or vulnerability, Traps also captures the contents of memory at the time the event occurred. To verify whether the activity was indeed malicious, you can retrieve the security event data from the endpoint for Traps management service to perform an additional analysis on the memory data. Traps management service reports the status of the analysis on the Analysis tab for an exploit security event. When the analysis is complete, you can review the verdict issued as a result of the analysis, details about the nature of the activity, and recommendations (if applicable) on how to prevent the event from occurring on endpoints in the future.
Analysis Details
Description
Analysis
STATUS
Status of the analysis.
VERDICT
Traps management service issued verdict for the file based on additional analysis of security event data:
  • Benign—Additional analysis of the memory determined the activity is benign
  • Malware—Additional analysis of the memory determined the activity is malicious
  • Inconclusive—Additional analysis of the memory did not definitively determine the event was malicious or benign.
DESCRIPTION
Analysis findings that describe why Traps management service issued the verdict as Benign or Malware.
RECOMMENDED ACTION
If applicable, action recommended by Traps management service. In the case of a benign verdict, this recommendation details how to resolve and prevent this event from reoccurring on endpoints in the future.
Data Retrieval
This displays only if you attempt to retrieve data from the endpoint.
STATUS
Status of the data retrieval request: Pending when the request for data is initiated from Traps management service, In Progress after the Traps agent receives the request, and Failed if the request fails or times out. When the upload is complete, Traps management service displays a link to Download Retrieved Data.
GENERATION DATE
Date and time the data was requested.

WildFire Analysis Details

When WildFire returns a verdict for a file, Traps management service also receives the WildFire analysis report. This report contains the detailed sample information and behavior analysis in different sandbox environments. You can use the report to assess whether the file poses a real threat on an endpoint. The details in the WildFire analysis report for each event vary depending on the behavior of the file.
WildFire Analysis Details
Description
File: <fileName> (<hashValue>)
VERDICT
Official WildFire verdict for the file: Unknown, Malware, Grayware, or Benign.
SHA1
Hash value of the file generated using the SHA1 algorithm.
SHA256
Hash value of the file generated using the SHA256 algorithm.
MD5
Hash value of the file generated using the MD5 algorithm.
FILE TYPE
Type of file. For example Portable Executable or DLL.
SIZE
Size of the file.
Analysis Reports
Analysis
The Analysis Reports section includes the WildFire analysis reports for each testing environment. Each WildFire analysis report displays information about targeted processes and users, email header information (if enabled), the application that delivered the file, and all URLs involved in the delivery or phone-home activity of the file. WildFire reports contain some or all of the information based on the observed behavior for the file.

Related Documentation