Traps Data Collection

When a security event occurs on an endpoint, Traps collects data about the event to help you understand the event context. In addition to collecting data related to a specific event, Traps can perform continuous monitoring of all Windows endpoint activity. If you enable Behavioral Threat Protection or Enhanced Data Collection for EDR, Traps can use this information to identify and block malicious causality chains (sequences of events). The following topics describe the data Traps can collect in more detail:

Data Collected for All Security Events

When a security event occurs on an endpoint, Traps collects the following data and sends it to Traps management service.
FieldDescription
Absolute TimestampKernel system time
Relative TimestampUptime since the computer booted
Thread IDID of the originating thread
Process ID ID of the originating process
Process Creation TimePart of process unique ID per boot session (PID + creation time)
Sequence IDUnique integer per boot session
Primary User SIDUnique identifier of the user
Impersonating User SIDUnique identifier of the impersonating user, if applicable

Additional Data Collected

With behavioral threat protection and EDR data collection, Traps continuously monitors endpoint activity to identify malicious event chains identified by Palo Alto Networks. This can include any of the following events:
CategoryEventsAttributes
Files
  • Create
  • Write
  • Delete
  • Rename
  • Move
  • Full path of the modified file before and after modification
  • SHA256 and MD5 hash for the file after modification
ImageLoad
  • Full path 
  • Base address
  • Target process-id/thread-id
  • Image size
Process
  • Create
  • Terminate
  • Process ID (PID) of the parent process
  • PID of the process
  • Full path
  • Command line arguments
  • Integrity level to determine if the process is running with elevated privileges
  • Hash (SHA256 and MD5)
  • Signature or signing certificate details
ThreadInjection
  • Thread ID of the parent thread
  • Thread ID of the new or terminating thread
  • Process that initiated the thread if from another process
Network
  • Accept
  • Connect
  • Create
  • Listen
  • Close
  • Bind
  • Source IP address and port
  • Destination IP address and port
  • Failed connection
  • Protocol (TCP/UDP)
Network Protocols
  • DNS request and UDP response
  • HTTP connect
  • HTTP disconnect
  • HTTP proxy parsing
  • Origin country
  • Remote IP address and port
  • Local IP address and port
  • Destination IP address and port if proxy connection
  • Network connection ID
  • IPv6 connection status (true/false)
Network Statistics
  • On-close statistics
  • Periodic statistics
  • Upload volume on TCP link
  • Download volume on TCP link
Traps sends statistics on connection close and periodically while connection is open
Registry
  • Registry value:
    • Deletion
    • Set
  • Registry key:
    • Creation
    • Deletion
    • Rename
    • Addition
    • Modification (set information)
    • Restore
    • Save
  • Registry path of the modified value or key
  • Name of the modified value or key
  • Data of the modified value
Session
  • Log on
  • Log off
  • Connect
  • Disconnect
  • Interactive log-on to the computer
  • Session ID
  • Session State (equivalent to the event type)
  • Local (physically on the computer) or remote (connected using a terminal services session)
Host Status
  • Boot
  • Suspend
  • Resume
  • Host name
  • OS Version
  • Domain
  • Previous and current state

Related Documentation