What is a Security Event?
When the Traps agent identifies an attempt to run a malicious file or process, the agent logs a security event.
A security event occurs when the Traps agent identifies an attempt to run a malicious file or process. Traps agents report security events when the file or process matches your applied policy rules (either default policy rules or custom rules you define). When the event occurs, Traps applies the action specified in the applied security profile, either blocking the malicious activity, or allowing and reporting the malicious activity. Some examples of events that can trigger a security event include attempts to:
- Run known malware
- Run unknown files
- Leverage bugs or flaws in software for a malicious purpose
The following topics provide more information to help you Assess Security Events:
Security Event Severity Levels
When a security event occurs, Traps logs the event and reports it to Traps management service. The log for each security event identifies the type of event and the specific module Traps applied to the process or file. Traps management service assigns each security event a severity level based on the nature of the event. The following table lists the events in order of Severity (High to Low), then alphabetically by Protection Modules.
|Kernel Privilege Escalation Protection||High|
|WildFire Post-Detection |
(Malware and Grayware)
|Brute Force Protection||Medium|
|Child Process Protection||Medium|
|DLL Hijacking Protection||Medium|
|Dylib Hijack Protection||Medium|
|Exception SysExit Check||Medium|
|Exploit Kit Fingerprinting Protection||Medium|
|Hot Patch Protection||Medium|
|Null Dereference Protection||Medium|
|Reverse Shell Protection||Medium|
|Execution from a Restricted Location - Local Path||Low|
|Execution from a Restricted Location - Network Location||Low|
|Execution from a Restricted Location - Removable Media||Low|
(Treat as malware)
|WildFire Unknown |
(Treat as malware)
Security Event Details
When the Traps agent reports a security event, Traps management service provides a detailed view of the security event that you can use to assess the event and determine if it poses a security threat that requires additional mitigation and remediation. The details for each security event vary depending on the type of event and can describe the process or file that was blocked or reported, the module which triggered the event and the profile from which the module was enabled. These details can include some or all of the following information:
Level of severity associated with the type of event, High, Medium, or Low.
Name of the event that occurred.
AGENT LOCAL TIME
Local time on the endpoint when the event occurred.
Unique event ID.
Administrator defined status for the security event. When an event is first reported to Traps management service, the event has a STATUS of New. When you begin to assess the potential threat for a security event, you can set the STATUS to Investigating. This allows you to easily filter the Security Events dashboard for the security events that you are currently assessing. After you complete your investigation, you can change the STATUS to Closed to indicate to other administrators that no additional assessment is required.
Coordinated Universal Time (UTC) when the event occurred on the endpoint, adjusted for your local system time.
Coordinated Universal Time (UTC) when Traps management service received the security event log, adjusted for your local system time.
This displays for malware events only if you attempt to retrieve data from the endpoint.
Status of the data retrieval request:
When the upload is complete, Traps management service displays a link to Download Retrieved Data.
Date and time the data was requested.
Type of profile associated with the rule. For details on profile types, see Traps Profiles.
Name of the source process or file that triggered the event.
Action taken by Traps when the security event occurred: Block the process, file, or activity; or Report the event but do not block it.
Module that triggered the event. The supported modules vary by the capabilities supported on each platform. See Protection Modules.
For file-related events, this field displays the verdict assigned to the file by the WildFire or Local Analysis module.
Additional information about the endpoint.
The status of the endpoint as reported on the Endpoints page (Active, Inactive, Zombie, Unauthorized, Unlicensed, Agent Incompatible, or OS Incompatible).
LOGGED ON USER
User that was logged in to the endpoint when the security event occurred.
Version of the operating system.
Version of the content update installed with the Traps agent.
Unique identifier of the endpoint (assigned by Traps management service).
Domain or workgroup to which the endpoint belongs.
Operating system name and architecture.
Version of the Traps agent.
IPv4 or IPv6 address of the endpoint.
Additional information about the affected process.
Name of the process. For example, notepad++.exe.
Unique identifier for the running process.
File name of the process. For example, notepad++.exe.
Full path for the file. For example, C:\Users\User\Desktop\ROP\notepad++.exe
|Signer of the file. For example, Microsoft Corporation.|
Information about files accessed by the affected process.
Name of the file that triggered the event.
Full path to the file involved in the event.
SHA-256 hash of the file.
User account used to run the process.
Domain or workgroup to which the user belongs.
Analysis Details (for Exploit Security Events)
When Traps reports a security event for a software exploit or vulnerability, Traps also captures the contents of memory at the time the event occurred. To verify whether the activity was indeed malicious, you can retrieve the security event data from the endpoint for Traps management service to perform an additional analysis on the memory data. Traps management service reports the status of the analysis on the Analysis tab for an exploit security event. When the analysis is complete, you can review the verdict issued as a result of the analysis, details about the nature of the activity, and recommendations (if applicable) on how to prevent the event from occurring on endpoints in the future.
Status of the analysis.
Traps management service issued verdict for the file based on additional analysis of security event data:
Analysis findings that describe why Traps management service issued the verdict as Benign or Malware.
If applicable, action recommended by Traps management service. In the case of a benign verdict, this recommendation details how to resolve and prevent this event from reoccurring on endpoints in the future.
This displays only if you attempt to retrieve data from the endpoint.
Status of the data retrieval request: Pending when the request for data is initiated from Traps management service, In Progress after the Traps agent receives the request, and Failed if the request fails or times out. When the upload is complete, Traps management service displays a link to Download Retrieved Data.
Date and time the data was requested.
WildFire Analysis Details
When WildFire returns a verdict for a file, Traps management service also receives the WildFire analysis report. This report contains the detailed sample information and behavior analysis in different sandbox environments. You can use the report to assess whether the file poses a real threat on an endpoint. The details in the WildFire analysis report for each event vary depending on the behavior of the file.
WildFire Analysis Details
File: <fileName> (<hashValue>)
Official WildFire verdict for the file: Unknown, Malware, Grayware, or Benign.
Hash value of the file generated using the SHA1 algorithm.
Hash value of the file generated using the SHA256 algorithm.
Hash value of the file generated using the MD5 algorithm.
Type of file. For example Portable Executable or DLL.
Size of the file.
The Analysis Reports section includes the WildFire analysis reports for each testing environment. Each WildFire analysis report displays information about targeted processes and users, email header information (if enabled), the application that delivered the file, and all URLs involved in the delivery or phone-home activity of the file. WildFire reports contain some or all of the information based on the observed behavior for the file.
Assess WildFire Analysis Details
Review WildFire Analysis Details For each file, Traps management service receives a file verdict and the WildFire Analysis Report detailing additional information you can use ...
Features Introduced in 2019
Introducing new features in the Traps management service by month during 2019. ...
Manage Quarantined Files
Manage Quarantined Files When Traps detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When Traps quarantines malware, Traps ...
Assess Security Events
Assess Security Events Traps management service ranks all events in order of severity so you can quickly see the most important events when you log ...
Traps Evaluation and Protection Flow
Traps Evaluation and Protection Flow Traps utilizes advanced multi-method protection and prevention techniques to protect your endpoints from both known and unknown malware and software ...
Malware Protection Flow
Malware Protection Flow To protect the endpoint from malicious and unknown executable files, the malware prevention engine employs four methods of protection: Phase 1: Evaluation ...
Traps™ Endpoint Security Manager Release Notes
Traps 3.4 Endpoint Security Manager Release Notes ...