Differences Between Endpoint Security Manager and Traps Management Service

The following table compares capabilities between the Traps Endpoint Security Manager (ESM) 4.1 and Traps management service.
FeatureEndpoint Security ManagerTraps management service
Visibility into all file executions—including when Office files open and DLLs load into sensitive processes—and the file’s associated WildFire Report.
Hash Control
Administrative control to override verdicts for files that ran previously. Set verdicts from Benign to Malware and Malware to Benign.
Hash Control
Import never seen hashes and set verdicts for them.
Hash Control
SecurityExceptionsHash Exceptions
Display quarantined files that are eligible to be restored to their original location on the endpoint.
Hash Control
Security events search criteria
Security Events—Endpoint, user name, and process.
SecuritySecurity Events—Enhanced options to filter security events.
Log forwarding
SIEM, Syslog, Panorama, Email
Log forwarding to a Syslog receiver or email server is available with the Log Forwarding app.
Policy Management
Exception creation and policy configuration
You can create almost any policy rule that Palo Alto Networks Research teams (often at the instruction of Support) can create.
You can also whitelist very specific flows including whitelisting specific DLLs for EPMs, and allowing specific child processes.
Palo Alto Networks can also create granular policy changes, using either support exceptions or content updates. You can also edit profiles, create exceptions from security events, and disable specific capabilities, such as for a specific module or process.
Exceptions for Active Directory (AD) objects
Assign rules to any AD object.
Assign rules to any AD object.
Change mode per process
Report or block an event based on the process.
Report or block an event based on the category and not the process.
View protected processes
Visibility from the ESM Console (PoliciesExploitProcess Management).
Visibility from Traps management service (select or search for Protected Processes in the relevant exploit protection capability from SecurityProfiles<platform>CreateExploit Profile).
View policy from the Traps console
The Traps console displays the policy rules and exceptions that apply on the agent.
SettingsConditions—Conditions based on file properties and registry values.
EndpointsEndpoint Groups—Create dynamic groups based on conditions such as host name, domain, workgroup, IP addressing, endpoint type (for example, VDI), endpoint operating system, and agent version. Does not support conditions based on registry values.
Agent and ESM settings
Granular control over settings such as the Heartbeat Interval (the frequency at which the Traps agent attempts to check in), the Reporting Interval (the frequency at which the Traps agent sends report notifications, including changes in service, crash events, and new processes), and the Heartbeat Grace Period (the allowable time period for a Traps agent that has not responded, after which the status changes to disconnected).
Fixed settings but reduced heartbeat interval (5 minutes) and reporting interval (1 hour).
Content updates
Choice of manual or automated content update installation.
Automated content updates delivered directly to your Traps management service tenant by Palo Alto Networks.
Endpoint and Tenant Management
Role-based access control
Granular access control for different areas and flows in the ESM Console.
Predefined roles to allow access to Traps management service features.
Agent revocation
Automatic and manual license revocation.
Automatic license revocation and manual endpoint removal capability.
Custom notification message
Customizable notification messages.

Related Documentation