In environments where Traps agents communicate with the Traps management service through a system-wide proxy, you can now set an application specific proxy for the Traps agent without affecting the communication of other applications on the endpoint. You can set, manage and disable the Traps agent proxy configuration in the Traps management service.

If your agent is communicating directly with the Traps management service, you can assign it a dedicated proxy in the
Endpoints
window. Once you choose to disable this proxy, the agent will revert back to communicating directly with Traps management service.
If your agent is not connected to Traps management service yet, you must assign the proxy IP address and port number during the Traps agent installation process on the endpoint. For agent installation instructions, see the Traps Agent Administrator’s Guide.

With the Palo Alto Networks Broker Service, you can now deploy Traps in restricted networks where endpoints do not have a direct connection to the internet. The Broker Service acts as a proxy that mediates communication between the endpoints in your restricted network and Traps management service. This enables your Traps agents to receive security policy updates from, and send logs and files to Traps management service without a direct connection. To use the Broker Service, you deploy a Broker VM on your network and configure your Traps agents for communication with the Broker VM instead of the Traps management service. The Broker Service requires Traps agent 6.1.2 or later versions.

You can now minimize sensitive access to Traps endpoints by assigning one of two new administrative roles from the hub to your Traps management service users. The new roles, Privileged Security Admin and Privileged IT Admin, restrict who can perform

File Retrieval

and

Live Terminal

response actions on Traps endpoints.

Privileged Security Admin–Provides the same privileges as the Security Admin role, in addition to
Live Terminal
and
File Retrieval
. Security Admins will no longer be allowed to perform these two actions.
Privileged IT Admin–Provides the same privileges as IT Admin, in addition to initiating
Live Terminal
. IT Admins will no longer be able to perform this action.

In addition to the two new roles, users assigned a Super Admin role can also perform

File Retrieval

and

Live Terminal

actions.

When you investigate the details of a security event in Traps terminal service, you can now continue your analysis in Cortex XDR to identify the root cause and timeline of events. To use integrated security event analysis with Cortex XDR, you must have a valid Cortex XDR license and enable the

Monitor and collect enhanced endpoint data

capability in an Agent Settings profile.

The option to

Monitor and collect enhanced endpoint data

can now be enabled only if you have a valid Cortex XDR license and allocated log storage in your Cortex Data Lake instance. When enabled, Traps shares detailed information about all active file, process, network, and registry activity on an endpoint with other Cortex apps. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. If you do not have a valid Cortex XDR license, the

Monitor and collect enhanced endpoint data

option in the Agent Settings profile is grayed out and disabled.

To take immediate action when a security event occurs on a Mac endpoint or a Linux server with Traps 6.1, you can now initiate the following response actions:

Terminate Process
—Terminate the suspicious process on the endpoint. This option is available from security events for which the action is
Report
and allows you to issue a remote request to the endpoint to terminate the process.
Quarantine
—If Traps has reported malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. Quarantine isn't enabled for security events that originated from network drives or containers.

Traps now includes a pre-defined list of blacklisted processes by signer with the default Malware Security policy. When a process signed by a blacklisted signer tries to run, Traps now blocks its execution and raises a security event. Blacklisted signers are defined by Palo Alto Networks and changes to the default list can be delivered with content updates. If necessary, you can create an exception from a security event to remove a process from the blacklist. To disable blacklisted signers, contact Support.

After you isolate an endpoint, Traps management service now disables the ability to upgrade the Traps agent. This ensures the isolation state is enforced on the endpoints, keeping them disconnected from your network. Now, if you try to select one or more isolated endpoints the option to upgrade is disabled. If you select a mix of isolated and un-isolated endpoints, Traps management service excludes the endpoint from the bulk action.

If an event requires further investigation and remediation, you can initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, and run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity. Live Terminal is supported on endpoints that meet the following requirements.

Traps 6.1 or a later release
Windows 7 SP1 or a later release
Windows update patch for WinCRT (KB 2999226)—To verify the Hotfixes that are installed on the endpoint, run the systeminfo command from a command prompt.
Endpoint activity was reported within the last 90 minutes (as identified by the Last Seen timestamp in the endpoint details).

You can now initiate a response action to retrieve files from Windows endpoints with Traps 6.1 directly or from the security event in Traps management service. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the

Action Tracker

.Traps management service retains retrieved files for up to one week.

The

Security Events

,

Endpoints

, and

Reports

pages are now enhanced to improve usability. Now, when you scroll up and down the page, the headings are docked to remain visible. Also, you can scroll faster through large amounts of records.

To simplify navigation and improve visibility on wide screens, the new top navigation bar in Traps management service replaces the left navigation menu. It includes the same functionalities as before but is now grouped by the following menus:

From the
Dashboard
menu, you can access the Traps management service dashboard and widgets.

From the
Security
menu, you can view security events, investigate files, define policy rules, manage profiles, and configure policy exceptions.

From the
Endpoints
menu, you can manage endpoints, endpoint groups, and installation packages.

From the
Monitor
menu, you can monitor administrative actions, manage logs, and generate reports.

To help you assess whether to restore a quarantined file, Traps management service now provides a history of verdicts and identifies verdicts from multiple verdict-issuing sources. From the additional details view of the file, you can view the WildFire verdict, local analysis verdict, and hash exception verdict. Each verdict also indicates when the verdict was received or changed: For WildFire verdicts, the time is relative to the change in the WildFire cloud service; for local analysis verdicts, the time is relative to the last time a local analysis event was reported for the file matching the file hash; and for hash exception verdicts, the time is relative to the time the exception was created.

The Traps management service export capacity for security events, endpoints, logs, and other Traps management service records is now increased to enable you to export any desired selection of records. Previously Traps management service limited exported data to 10,000 records regardless of the selection. To help you better monitor actions related to exporting data, you can now track export actions from

Actions Tracker

. In addition, Traps management service has updated the log message type (to view earlier logs, you can use the now renamed log types with the

- Legacy

suffix).

To streamline management and monitoring of commonly performed bulk actions, you can now initiate a bulk actions for an increased number of endpoints. The capacity change applies to the following bulk actions:

Upgrade Traps agents (unlimited)
Uninstall Traps agents (unlimited)
Scan endpoints (unlimited)
Abort endpoint scans (unlimited)
Restore files (up to 1,000)

The higher capacity enables you to monitor the status of larger numbers of target endpoints in a single bulk action instead of restricting bulk actions to batches of endpoints and monitoring each batch individually.

Traps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from

Files

Quarantine

.

For increased visibility and management of quarantined files, the following enhancements were made:

Multiple file names
—Instead of displaying only the first reported file name for a quarantined file, Traps management service now indicates files with
Multiple names
on
Files
Quarantine
. Otherwise, if all reported files have the same name, the
Quarantine
displays the unique
File Name
. To view the quarantined file name and location on each endpoint, select the hash to open the details view.
Quarantine initiator
—You can now view the user or service that initiated a quarantine action in the
Quarantined By
field of
Files
Quarantine
. This field can reflect
Traps Agent Policy
when the security policy triggers the quarantine action or the username and service who initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
Hash visibility for source and quarantined files
—From the security event details, you can now distinguish between the source, target, and quarantined file. In the case of macros, the security event shows the hash associated with the
DOCUMENT
and the hash and verdict associated with the
MACRO
.
Security events by quarantined file
—You can now filter security events by the
Process/File Name
of a quarantined file. This can be useful to help locate events where the source file was not the quarantined file (for example with behavioral threat events or malicious DLLs).

To help you quickly find server or endpoint logs that occurred during a specific time period, the

Timeframe

filter has been enhanced to allow you to define

Custom

date ranges, dates, and times.

The

Actions Tracker

now indicates the user and service that initiated an action in the

Created By

field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy.

When you create a dynamic endpoint group, Traps management service now automatically populates two version lists based on your registered Traps agents: installed and other (not-installed) versions. This enables you to include agent or operating system versions that are not currently in use but for which you want to include in policy in advance.

The Traps agent now provides additional tampering protection against attempts to uninstall the Traps agent on Mac endpoints. The uninstall password you configure when you first set up an installation package or configure a security profile now applies to Mac installations. You can later change the uninstall password in an Agent Settings profile.

You can now configure preferences for forensic data collection in an Agent Settings profile. This includes the size of the memory dump collected when a security event occurs on an endpoints and whether or not to upload the forensic data automatically to Traps management service.

Using the Log Forwarding app, you can configure email forwarding for immediate notification on Traps and Traps management service events—such as critical or high severity logs—to alert your incident response and monitoring teams. You can forward all logs or a subset of logs based on log attributes such as

Log Types

(Threat, Config, System, or Analytics) or severity.

The Traps management service can now generate the Traps Security and Deployment Report, which provides a high-level summary of the security and deployment status of your endpoints. You can schedule the report to run on a recurring basis, or you can generate the report on-demand. You can also optionally send the report to one or more e-mail addresses.