What is a Security Event?

When the Traps agent identifies an attempt to run a malicious file or process, the agent logs a security event.
A security event occurs when the Traps agent identifies an attempt to run a malicious file or process. Traps agents report security events when the file or process matches your applied policy rules (either default policy rules or custom rules you define). When the event occurs, Traps applies the action specified in the applied security profile, either blocking the malicious activity, or allowing and reporting the malicious activity. Some examples of events that can trigger a security event include attempts to:
  • Run known malware
  • Run unknown files
  • Leverage bugs or flaws in software for a malicious purpose
The following topics provide more information to help you Assess Security Events:

Security Event Severity Levels

When a security event occurs, Traps logs the event and reports it to Traps management service. The log for each security event identifies the type of event and the specific module Traps applied to the process or file. Traps management service assigns each security event a severity level based on the nature of the event. The following table lists the events in order of Severity (High to Low), then alphabetically by Protection Modules.
Module
Severity
Anti-Ransomware Protection
High
APC Protection
High
Behavioral Threat
High
Kernel Privilege Escalation Protection
High
WildFire Post-Detection
(Malware and Grayware)
High
Brute Force Protection
Medium
Child Process Protection
Medium
CPL Protection
Medium
DEP
Medium
DLL Hijacking Protection
Medium
DLL Security
Medium
Dylib Hijack Protection
Medium
Exception SysExit Check
Medium
Exploit Kit Fingerprinting Protection
Medium
Font Protection
Medium
Gatekeeper Enhancement
Medium
Hot Patch Protection
Medium
JIT Mitigation
Medium
Local Analysis
Medium
Null Dereference Protection
Medium
Reverse Shell Protection
Medium
ROP Mitigation
Medium
SEH Protection
Medium
Shellcode Protection
Medium
ShellLink Protection
Medium
UASLR
Medium
WildFire Malware
Medium
Execution from a Restricted Location - Local Path
Low
Execution from a Restricted Location - Network Location
Low
Execution from a Restricted Location - Removable Media
Low
Hash Exception
Low

Security Event Details

When the Traps agent reports a security event, Traps management service provides a detailed view of the security event that you can use to assess the event and determine if it poses a security threat that requires additional mitigation and remediation. The details for each security event vary depending on the type of event and can describe the process or file that was blocked or reported, the module which triggered the event and the profile from which the module was enabled. These details can include some or all of the following information:
Field
Description
Security Event
SEVERITY
Level of severity associated with the type of event,
High
,
Medium
, or
Low
.
EVENT
Name of the event that occurred.
AGENT LOCAL TIME
Local time on the endpoint when the event occurred.
EVENT ID
Unique event ID.
STATUS
Administrator defined status for the security event. When an event is first reported to Traps management service, the event has a STATUS of
New
. When you begin to assess the potential threat for a security event, you can set the STATUS to
Investigating
. This allows you to easily filter the Security Events dashboard for the security events that you are currently assessing. After you complete your investigation, you can change the STATUS to
Closed
to indicate to other administrators that no additional assessment is required.
AGENT TIME
Coordinated Universal Time (UTC) when the event occurred on the endpoint, adjusted for your local system time.
REPORT TIME
Coordinated Universal Time (UTC) when Traps management service received the security event log, adjusted for your local system time.
Data Retrieval
This displays for malware events only if you attempt to retrieve data from the endpoint.
STATUS
Status of the data retrieval request:
  • Pending
    when the request for data is initiated from Traps management service.
  • In Progress
    after the Traps agent receives the request.
  • Failed
    if the request fails or times out.
When the upload is complete, Traps management service displays a link to
Download Retrieved Data
.
GENERATION DATE
Date and time the data was requested.
Module
PROFILE TYPE
Type of profile associated with the rule. For details on profile types, see Traps Profiles.
SOURCE PROCESS
Name of the source process or file that triggered the event.
ACTION
Action taken by Traps when the security event occurred:
Block
the process, file, or activity; or
Report
the event but do not block it.
MODULE
Module that triggered the event. The supported modules vary by the capabilities supported on each platform. See Protection Modules.
VERDICT
For file-related events, this field displays the verdict assigned to the file by the WildFire or Local Analysis module.
Endpoint:
<endpointName>
Additional information about the endpoint.
STATUS
The status of the endpoint as reported on the
Endpoints
page (
Active
,
Inactive
,
Zombie
,
Unauthorized
,
Unlicensed
,
Agent Incompatible
, or
OS Incompatible
).
LOGGED ON USER
User that was logged in to the endpoint when the security event occurred.
OS VERSION
Version of the operating system.
CONTENT VERSION
Version of the content update installed with the Traps agent.
ENDPOINT ID
Unique identifier of the endpoint (assigned by Traps management service).
DOMAIN
Domain or workgroup to which the endpoint belongs.
OS NAME
Operating system name and architecture.
AGENT VERSION
Version of the Traps agent.
IP
IPv4 or IPv6 address of the endpoint.
Processes
Additional information about the affected process.
Process
Name of the process. For example,
notepad++.exe
.
PID
Unique identifier for the running process.
FILE NAME
File name of the process. For example,
notepad++.exe
.
FULL PATH
Full path for the file. For example,
C:\Users\User\Desktop\ROP\notepad++.exe
SIGNER
Signer of the file. For example, Microsoft Corporation.
Files
Information about files accessed by the affected process.
FILE NAME
Name of the file that triggered the event.
FULL PATH
Full path to the file involved in the event.
SHA 256
SHA-256 hash of the file.
Users
USER NAME
User account used to run the process.
USER DOMAIN
Domain or workgroup to which the user belongs.

Analysis Details (for Exploit Security Events)

When Traps reports a security event for a software exploit or vulnerability, Traps also captures the contents of memory at the time the event occurred. To verify whether the activity was indeed malicious, you can retrieve the security event data from the endpoint for Traps management service to perform an additional analysis on the memory data. Traps management service reports the status of the analysis on the
Analysis
tab for an exploit security event. When the analysis is complete, you can review the verdict issued as a result of the analysis, details about the nature of the activity, and recommendations (if applicable) on how to prevent the event from occurring on endpoints in the future.
Analysis Details
Description
Analysis
STATUS
Status of the analysis.
VERDICT
Traps management service issued verdict for the file based on additional analysis of security event data:
  • Benign—Additional analysis of the memory determined the activity is benign
  • Malware—Additional analysis of the memory determined the activity is malicious
  • Inconclusive—Additional analysis of the memory did not definitively determine the event was malicious or benign.
DESCRIPTION
Analysis findings that describe why Traps management service issued the verdict as Benign or Malware.
RECOMMENDED ACTION
If applicable, action recommended by Traps management service. In the case of a benign verdict, this recommendation details how to resolve and prevent this event from reoccurring on endpoints in the future.
Data Retrieval
This displays only if you attempt to retrieve data from the endpoint.
STATUS
Status of the data retrieval request:
Pending
when the request for data is initiated from Traps management service,
In Progress
after the Traps agent receives the request, and
Failed
if the request fails or times out. When the upload is complete, Traps management service displays a link to
Download Retrieved Data
.
GENERATION DATE
Date and time the data was requested.

WildFire Analysis Details

When WildFire returns a verdict for a file, Traps management service also receives the WildFire analysis report. This report contains the detailed sample information and behavior analysis in different sandbox environments. You can use the report to assess whether the file poses a real threat on an endpoint. The details in the WildFire analysis report for each event vary depending on the behavior of the file.
WildFire Analysis Details
Description
File:
<fileName>
(
<hashValue>
)
VERDICT
Official WildFire verdict for the file: Unknown, Malware, Grayware, or Benign.
SHA1
Hash value of the file generated using the SHA1 algorithm.
SHA256
Hash value of the file generated using the SHA256 algorithm.
MD5
Hash value of the file generated using the MD5 algorithm.
FILE TYPE
Type of file. For example Portable Executable or DLL.
SIZE
Size of the file.
Analysis Reports
Analysis
The Analysis Reports section includes the WildFire analysis reports for each testing environment. Each WildFire analysis report displays information about targeted processes and users, email header information (if enabled), the application that delivered the file, and all URLs involved in the delivery or phone-home activity of the file. WildFire reports contain some or all of the information based on the observed behavior for the file.

Recommended For You