Features Introduced in 2018

Introducing new features in the Traps management service by month during 2018.
The following topics describe the new features introduced in the Traps management service in 2018 by month.

Features Introduced in December 2018

Dynamic Endpoint Group Support for Agent Version
You can now define membership for a dynamic endpoint group based on a specific Traps agent version.
This enables you to manage endpoints, exceptions, and apply policy to endpoints running specific Traps agent versions.
Centralized File Management
For enhanced visibility and ease of management, the Traps management service now consolidates the
File Analytics
Restore Candidates
pages into the new
  • Files
    Displays all files that run on your Windows endpoints. As with the previous
    File Analytics
    page, you can pivot to view additional details about the file including when and on which endpoints it last ran, verdicts from local and WildFire verdict sources, and more.
  • Files
    Displays all files that were quarantined (either manually or automatically). Previously, you could view only files that were quarantined and now had a Benign verdict. From this view, you can also easily open the details view for any file to create an exception to restore it on the endpoint.

Features Introduced in November 2018

The following table describes the new features introduced in the Traps management service in November 2018.
Temporary Session Management and Visibility
To help you easily manage Traps on endpoints that run as temporary sessions, the Traps management service now distinguishes temporary sessions from other non-persistent VDI. The Traps management service identifies temporary sessions with
notation in the endpoint summary view and indicates the Type as
Temporary Session
in the additional details view for an endpoint. You can also create a dynamic endpoint group for temporary sessions for use in policy and endpoint management.
To take advantage of enhanced support for temporary sessions, you must install Traps 5.0.4.
Detailed Memory Analysis of Security Events
To verify the correctness of a verdict, you can now upload the memory state collected by Traps when an exploit security event occurs to the Traps management service for additional analysis. This provides an additional layer of analysis so you can be sure a verdict is accurate.
To enable the Traps management service to perform additional memory analysis, you must first
Retrieve and Analyze Security Event Data
. This option is available from the details view of a security event (you can track the upload process on the
Actions Tracker
). After the Traps management service receives the security event data, it begins analysis. You can monitor the progress of and later review the results of the additional analysis on the new
tab of the detailed view for the security event.
Cloud Services App Switching
You can now switch to your other Cloud Service apps and app instances from the Traps management service. If your user account belongs to multiple accounts, you can also easily switch between accounts.
Mimikatz Prevention
To prevent attackers from leveraging the Mimikatz tool to extract passwords from memory, you can now enable
Password Theft Protection
for endpoints running Windows Vista and later Windows releases with Traps 5.0.4 or later. You can enable the new module in a Malware Security profile for Windows endpoints. When enabled, Traps silently prevents attempts to steal credentials (Traps does not currently provide notifications when these events occur).
Severity Level Change for Hash Exception Events
The severity level for
Hash Exception
events has changed from High to Low.

Features Introduced in October 2018

The following table describes the new features introduced in the Traps management service in October 2018.
Examination of Office Files on Network Drives
You can now choose whether to examine Microsoft Office files for malicious macros when the file is run from a network drive. You can configure the new setting to
Examine Office files from network drives
in a Malware profile for Windows endpoints.
Enhanced Management for Resolved Events
The ability to archive security events is now deprecated and is superseded by functionality which allows you to close out one or more events without deleting them from the Traps management service. In addition, any previously archived events are updated to have a status of
. Closing events is more advantageous than archiving events because you can hide events which have already been investigated from the default view but still retain event details should there be a need to review them at a later date. To include closed events in the results on the
Security Events
page, you can select the
Status: Closed
search filter.
Bulk Security Event Status Management
To enable you to easily manage multiple security events, you can now change the status (
) for events in bulk. For example, after you investigate multiple new events, you can change the status for those events to closed in one action.

Features Introduced in September 2018

The following table describes the new features introduced in the Traps management service in September 2018.
Native Role-Based Access Control
The Traps management service introduces five built-in roles that you can use to manage administrative privileges from the Traps management service. Each role provides specific access rights for Traps management service users:
  • Super Admin—Full read-write access including the ability to view and assign roles
  • Viewer—Read-only access
  • Security Admin—Read-write access to manage security profiles, policies, and events, and read-only access to all other areas.
  • IT Admin—Read-write access to deployment operations such as man-aging agent installation packages and uninstalling Traps agents, and read-only access to all other areas.
  • No Access—No access to any Traps management service pages or functions.
From the Traps management service, you can change the default role assigned to new users when they first log in and assign roles to individual users.
Support Exception Assignment Enhancement
To quickly configure support exceptions for select endpoints, you can now assign support exceptions to endpoint groups, AD groups, and AD organizational units (OU). Support exceptions will apply only to the platform type specified in the exception. In addition, in the case of AD objects that specify users and endpoints, a process exception will apply only on endpoints.
What’s New Notification
The Traps management service now displays a pop-up notification to provide visibility into features and changes in new releases.
The Traps management service displays the notification for each user at the first login following a release. The notification highlights important information or features and directs you to the release notes for the comprehensive list of all features. After you dismiss the pop-up, the notification disappears and will not display until the next release.
Administrative Action Tracking
To help you monitor the progress of administrator-initiated activities, the Traps management service introduces a new Actions Tracker.
Actions Tracker
enables you to monitor the status of upgrades, uninstalls, scans, halted scans, data retrieval (both security event data and tech support files), and quarantined file restoration across multiple endpoints and provides visibility into failures, should they occur.
DLL Blacklist for Exploit Protection
To block DLLs from running when launched by protected processes, you can now configure a blacklist as part of an Exploit Security Profile. The blacklist supports multiple DLLs per process name and complete or partial DLL paths. The DLL Name also support wildcards and environment variables.

Features Introduced in August 2018

The following table describes the new features introduced in the Traps management service in August 2018.
Dashboard Enhancement
The Dashboard has been enhanced to streamline endpoint and security event management. From the Dashboard you can now jump to a filtered list of endpoints that share any of the following characteristics: platform, content update status (latest or outdated), and license status (view a list of all licensed endpoints). For security events, you can also jump to filtered lists of unresolved events by severity. The Dashboard quick links enable you to quickly identify endpoints for which administrative action may be required. 
Enhanced Endpoint Filters
To refine the number of endpoints on the Endpoints page, you can now apply new endpoint search filters:
  • Agent Version
    —Filters all endpoints for specific agent versions. Using this filter you can quickly identify all endpoints running older Traps versions and upgrade them to the latest Traps version thus ensuring the endpoint takes advantage of the latest security policy and Traps features.
  • Content Version
    —Filters all endpoints for specific content update versions. This filter provides visibility into which endpoints are using older content versions and may require manual remediation.
You can also search for a full or partial version in the drop down for each filter. The Traps management service evaluates multiple selections within a filter using an
operator and across different filter types using an
Security Event Search by Event ID
If you already know the unique event ID for a security event, you can now use that ID to quickly locate a security event. To filter security events for an
Event ID
you must enter the complete ID value.
Hash Exceptions Search
To quickly locate a hash exception, you can now search hash exceptions using the complete SHA256 value.
Process Exceptions Assignment Enhancement
To quickly configure process exceptions for select endpoints, you can now assign process exceptions to endpoint groups, AD groups, and AD organizational units (OU). Process exceptions will apply only to the platform type specified in the exception. In addition, in the case of AD objects that specify users and endpoints, a process exception will apply only on endpoints.

Features Introduced in July 2018

The following table describes the new features introduced in the Traps management service in July 2018.
Enhanced Visibility Into Protected Processes
You can now view and search processes protected by each capability in an Exploit Security Profile. This helps you better understand which processes are affected when you configure Exploit security profiles.
Search Security Events by Process or File Name
You can now search security events for a specific process or file name. The new search filters can help you determine which endpoints are affected by a specific malicious file or process.
Restricted Folder Whitelist
Windows only
) You can now configure Traps to ignore specific files and files executed from specific folders. This can be useful when you want to allow legitimate files to run from a local restricted folder. For example, if you block executables run from a browser’s
folder but need to allow specific just-in-time launchers to run, you can now whitelist any legitimate files. To add a file or folder path to the whitelist, configure a Restrictions security profile and assign it to a rule.
Search Term Persistence
The Traps management service now retains search filters as you move between different tabs and views. Now, when you return to a page, the Traps management service automatically applies any search criteria you applied previously. In addition, you can easily reset all search criteria with a single click.
TLS 1.2 Support
The Traps management service and client browser now enforce TLS 1.2 for secure communication. Browsers that do not support TLS 1.2 are not supported with the Traps management service.
Traps for Linux Migration to Traps Management Service
You can now easily migrate the Traps agent on Linux endpoints from an on-premise management deployment (with the Endpoint Security Manager 4.2) to the cloud-based Traps management service. Now, you can create an upgrade package which contains Traps management service configuration settings and use it to upgrade the Traps agents to the 5.0 agent version on Linux endpoints.

Features Introduced in June 2018

The following table describes the new features introduced in the Traps management service in June 2018.
Log Forwarding
You can now forward Traps logs stored the Cortex Data Lake to an external Syslog log receiver using the new Log Forwarding app. Before you can activate an instance of the Log Forwarding app, you must have the Cortex Data Lake role assigned to you. You must add a separate instance of the app for each instance of Cortex Data Lake from which you want to forward logs. To get started with log forwarding, see Forward Traps Logs to a Syslog Server.
Quarantine by Verdict Source
Windows only
) You can now quarantine malware based on the verdict source. By default, when you enable Traps to quarantine malicious executables, Traps quarantines only files that have a malware verdict as issued by WildFire or the administrative hash control policy. For a stricter security policy, you can also choose to quarantine files whose verdictwas issued using local analysis. This ensures that all unknown executable files Traps suspects as malware will be quarantined.
Uninstall Password Enforcement
On new tenants created in June 2018 or later, the Traps management service now enforces the best practice recommendation to change the uninstall password to a new password which meets the Traps management service security standards. Before you can create a new installation package or a new profile in the Traps management service, you must define the uninstall password. If you later need to change the uninstall password, you can do so in an Agent Settings Profile.
New Security Event Search Criteria
You can now use new search criteria to filter security events that occur on one or more endpoints or are associated with one or more users. The Traps management service provides three new search options:
  • Endpoint Name
    —Filter security events for endpoints that match a full or partial endpoint name or alias.
  • Endpoint ID
    —Filter security events for endpoints that match the full endpoint ID assigned by the Traps agent. You can identify the endpoint ID in the details view for an endpoint.
  • Username
    —Filter security events for a full or partial username. You can also filter security events for a user and user domain using the format

Features Introduced in May 2018

The following table describes the new features introduced in the Traps management service in May 2018.
Traps for Android
The Traps management service now provides management and visibility into threats on Android endpoints. When the Traps app reports an unknown or malicious app, you can view details about the event including the WildFire report for the sample in the Traps management service. For more information about the Traps app for Android, see the Traps Agent Administrator’s Guide.
File Analytics
The Traps management service now provides visibility and detailed file analytics for the files that attempt to run on Windows and Mac endpoints in your organization. File analytics can help you investigate files and view information such as where and when a file ran, the file signer, the file verdict, and the associated WildFire report, if known. After assessing a file, you can also perform additional actions to override the verdict for a file or to request that Palo Alto Networks reexamine the file.
Delete an Endpoint
To remove an endpoint and return a license to the license pool before the automated 90-day clean-up policy takes effect, you can now manually delete one or more Traps agents from the Traps management service. If the Traps agent on a deleted endpoint later attempts to establish communication, the Traps management service treats the agent as a new one and assigns it a new license if one is available in the pool of available licenses.
This feature is available for non-VDI endpoints only.
Child Process Execution Criteria
For Windows endpoints, you can now allow specific parent processes to launch child processes and optionally configure execution criteria. This can be helpful if your organization uses applications in a way where Traps could identify them as malicious. For example, if you need to run script engines from an intranet website running Internet Explorer, you can whitelist the specific use while still protecting Internet Explorer from malicious script engines. To
Prevent Malicious Child Process Execution
with specific execution criteria, you can configure a Malware Security Profile for Windows.
Windows Security Center Registration
You can now customize the registration behavior for Traps and the Windows Security Center, a reporting tool which monitors the system health and security state of endpoints running Windows 7 and later releases. By default, the Traps agent registers with the Windows Security Center and allows automatic Windows updates. When Traps registration is enabled, the Action Center relies on Traps for the Virus Protection status. You can also choose to disable automatic Windows patches and updates or, to allow the Action Center to obtain the Virus Protection status from another endpoint security vendor such as Windows Defender, disable registration with the Microsoft Security Center completely. To customize
Microsoft Security Center integration
, configure an Agent Settings Profile for Windows endpoints.

Features Introduced in April 2018

The following table describes the new features introduced in the Traps management service in April 2018.
Expand Log Storage Capacity for Traps Logs
You can now activate the Cortex Data Lake Auth code from the cloud services portal to upgrade the Traps Included Storage of 100GB to a Cortex Data Lake license with larger storage capacity.

Related Documentation