Traps Data Collection

Traps collects information about the endpoint when a security event occurs and can provide additional monitoring depending on your endpoint security policy.
When a security event occurs on an endpoint, Traps collects a minimum set of data about the endpoint as described in Data Collected for All Security Events.
When you enable behavioral threat protection or EDR data collection in your endpoint security policy, Traps can also continuously monitor endpoint activity for malicious event chains identified by Palo Alto Networks. The endpoint data that Traps collects when you enable these capabilities varies by the platform type:

Data Collected for All Security Events

When a security event occurs on an endpoint, Traps collects the following data and sends it to Traps management service.
Field
Description
Absolute Timestamp
Kernel system time
Relative Timestamp
Uptime since the computer booted
Thread ID
ID of the originating thread
Process ID
ID of the originating process
Process Creation Time
Part of process unique ID per boot session (PID + creation time)
Sequence ID
Unique integer per boot session
Primary User SID
Unique identifier of the user
Impersonating User SID
Unique identifier of the impersonating user, if applicable

Additional Endpoint Data Collected for Windows Endpoints

Category
Events
Attributes
Executable metadata (
Traps 6.1 and later
)
Process start
  • File size
  • File access time
Files
  • Create
  • Write
  • Delete
  • Rename
  • Move
  • Modification (
    Traps 6.1 and later
    )
  • Symbolic links (
    Traps 6.1 and later
    )
  • Full path of the modified file before and after modification
  • SHA256 and MD5 hash for the file after modification
  • SetInformationFile for timestamps (
    Traps 6.1 and later
    )
  • File set security (DACL) information (
    Traps 6.1 and later
    )
  • Resolve hostnames on local network (
    Traps 6.1 and later
    )
  • Symbolic-link/hard-link and reparse point creation (
    Traps 6.1 and later
    )
Image (DLL)
Load
  • Full path 
  • Base address
  • Target process-id/thread-id
  • Image size
  • Signature (
    Traps 6.1 and later
    )
  • SHA256 and MD5 hash for the DLL (
    Traps 6.1 and later
    )
  • File size (
    Traps 6.1 and later
    )
  • File access time (
    Traps 6.1 and later
    )
Process
  • Create
  • Terminate
  • Process ID (PID) of the parent process
  • PID of the process
  • Full path
  • Command line arguments
  • Integrity level to determine if the process is running with elevated privileges
  • Hash (SHA256 and MD5)
  • Signature or signing certificate details
Thread
Injection
  • Thread ID of the parent thread
  • Thread ID of the new or terminating thread
  • Process that initiated the thread if from another process
Network
  • Accept
  • Connect
  • Create
  • Listen
  • Close
  • Bind
  • Source IP address and port
  • Destination IP address and port
  • Failed connection
  • Protocol (TCP/UDP)
  • Resolve hostnames on local network
Network Protocols
  • DNS request and UDP response
  • HTTP connect
  • HTTP disconnect
  • HTTP proxy parsing
  • Origin country
  • Remote IP address and port
  • Local IP address and port
  • Destination IP address and port if proxy connection
  • Network connection ID
  • IPv6 connection status (true/false)
Network Statistics
  • On-close statistics
  • Periodic statistics
  • Upload volume on TCP link
  • Download volume on TCP link
Traps sends statistics on connection close and periodically while connection is open
Registry
  • Registry value:
    • Deletion
    • Set
  • Registry key:
    • Creation
    • Deletion
    • Rename
    • Addition
    • Modification (set information)
    • Restore
    • Save
  • Registry path of the modified value or key
  • Name of the modified value or key
  • Data of the modified value
Session
  • Log on
  • Log off
  • Connect
  • Disconnect
  • Interactive log-on to the computer
  • Session ID
  • Session State (equivalent to the event type)
  • Local (physically on the computer) or remote (connected using a terminal services session)
Host Status
  • Boot
  • Suspend
  • Resume
  • Host name
  • OS Version
  • Domain
  • Previous and current state
User Presence (
Traps 6.1 and later
)
User Detection
Detection when a user is present or idle per active user session on the computer.
Windows Event Logs
See the Windows Event Logs table for the list of Windows Event Logs that Traps can collect.
Windows Event Logs
Event ID
Description
Minimum Traps Release
104
Other Log cleared events
6.1.1
550
Possible denial-of-service (DoS) attack
6.1.2
1001
Windows Error Reporting
6.1.1
1024
Log attempted TS connect to remote server
6.1.1
1100
The event logging service has shut down
6.1.1
1102
The audit log was cleared
6.1.1
1511
The audit log was cleared
6.1.1
1518
The audit log was cleared
6.1.1
4616
The audit log was cleared
6.1.1
4618
The audit log was cleared
6.1.2
4621
Administrator recovered system from CrashOnAuditFail
6.1.2
4624
An account was successfully logged on
6.1.1
4634
An account was logged off
6.1.1
4649
A replay attack was detected
6.1.2
4672
Special privileges assigned to new logon.
6.1.1
4675
An operation was attempted on a privileged object.
6.1.2
4688
A new process has been created.
6.1.1
4692
Indirect access to an object was requested.
6.1.2
4697
Attempt to install a service
6.1.1
4698
A scheduled task was created.
6.1.1
4699
A scheduled task was deleted.
6.1.1
4700
A scheduled task was enabled.
6.1.1
4701
A scheduled task was disabled.
6.1.1
4702
A scheduled task was updated.
6.1.1
4719
System security access was removed from an account.
6.1.2
4720
A user account was created.
6.1.1
4722
A user account was enabled.
6.1.1
4725
A user account was disabled.
6.1.1
4726
A user account was deleted.
6.1.1
4728
A member was added to a security-enabled global group.
6.1.1
4732
A member was added to a security-enabled local group.
6.1.1
4733
A member was removed from a security-enabled local group.
6.1.1
4756
A member was added to a security-enabled universal group.
6.1.1
4765
A member was removed from a security-disabled universal group.
6.1.2
4766
A member was removed from a security-disabled universal group.
6.1.2
4778
A session was reconnected to a Window Station.
6.1.1
4794
The Password Policy Checking API was called.
6.1.2
4897
Certificate Services published the CA certificate to Active Directory Domain Services.
6.1.2
4964
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
6.1.2
5124
A cryptographic function property modification was attempted.
6.1.2
5140
A network share object was accessed.
6.1.1
5142
A directory service object was deleted.
6.1.1
5144
A directory service object was deleted.
6.1.1
30622
IPsec Services has started successfully.
6.1.1

Additional Endpoint Data Collected for Mac Endpoints

Category
Events
Attributes
Files
  • Create
  • Write
  • Delete
  • Rename
  • Move
  • Open
  • Full path of the modified file before and after modification
  • SHA256 and MD5 hash for the file after modification
Process
  • Start
  • Stop
  • Process ID (PID) of the parent process
  • PID of the process
  • Full path
  • Command line arguments
  • Integrity level to determine if the process is running with elevated privileges
  • Hash (SHA256 and MD5)
  • Signature or signing certificate details
Network
  • Accept
  • Connect
  • Connect Failure
  • Disconnect
  • Listen
  • Statistics
  • Source IP address and port
  • Destination IP address and port
  • Failed connection
  • Protocol (TCP/UDP)
  • Aggregated send/receive statistics for the connection

Additional Endpoint Data Collected for Linux Endpoints

Category
Events
Attributes
Files
  • Create
  • Open
  • Write
  • Delete
  • Full path of the file
  • Hash of the file
For specific files only and only if the file was written.
  • Copy
  • Move (rename)
  • Full paths of both the original and the modified files
  • Change owner (chown)
  • Change mode (chmod)
  • Full path of the file
  • Newly set owner/attributes
Network
  • Listen
  • Accept
  • Connect
  • Connect failure
  • Disconnect
  • Source IP address and port for explicit binds
  • Destination IP address and port
  • Failed TCP connections
  • Protocol (TCP/UDP)
Process
  • Start
  • PID of the child process
  • PID of the parent process
  • Full image path of the process
  • Command line of the process
  • Hash of the image (SHA256 & MD5)
  • Stop
  • PID of the stopped process

Related Documentation