Features Introduced in 2019

Introducing new features in the Traps management service by month during 2019.
The following topics describe the new features introduced in the Traps management service in 2019 by month.

Features Introduced in August 2019

Feature
Description
Integrated Security Events Analysis
When you investigate the details of a security event in Traps terminal service, you can now continue your analysis in Cortex XDR to identify the root cause and timeline of events. To use integrated security event analysis with Cortex XDR, you must have a valid Cortex XDR license and enable the
Monitor and collect enhanced endpoint data
capability in an Agent Settings profile.
Enabling Enhanced Data Collection (change to previous behavior)
The option to
Monitor and collect enhanced endpoint data
can now be enabled only if you have a valid Cortex XDR license and allocated log storage in your Cortex Data Lake instance. When enabled, Traps shares detailed information about all active file, process, network, and registry activity on an endpoint with other Cortex apps. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. If you do not have a valid Cortex XDR license, the
Monitor and collect enhanced endpoint data
option in the Agent Settings profile is grayed out and disabled.
Improved Grid for Actions Tracker
The
Actions Tracker
is now enhanced to improve usability. Now, when you scroll up and down the page, the headings are docked to remain visible. Also, you can scroll faster through large amounts of records.

Features Introduced in July 2019

Feature
Description
New Response Actions for Mac and Linux Endpoints
To take immediate action when a security event occurs on a Mac endpoint or a Linux server with Traps 6.1, you can now initiate the following response actions:
  • Terminate Process
    —Terminate the suspicious process on the endpoint. This option is available from security events for which the action is
    Report
    and allows you to issue a remote request to the endpoint to terminate the process.
  • Quarantine
    —If Traps has reported malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. Quarantine isn't enabled for security events that originated from network drives or containers.
You can review the status of the response actions both from the security event and from the
Actions Tracker
.
Data Collection for Mac and Linux Endpoints
Traps 6.1 now extends data collection and sharing capabilities to Mac and Linux endpoints. When enabled to do so, Traps uploads endpoint activity data to the Cortex Data Lake. This information provides Cortex apps with the endpoint context so that you can gain insight into the overall event scope when you investigate a threat. This includes all activities that took place during an attack and the endpoints that were involved.
When you enable Traps to
Monitor
and collect endpoint events in your Agent Settings profile, you must also allocate log storage for
Endpoint Data
in your Cortex Data Lake instance.
Behavioral Threat Protection for Mac and Linux Endpoints
Traps 6.1 now extends Behavioral Threat Protection to protect Mac and Linux endpoints. This enables Traps to monitor endpoint activity to identify and analyze chains of events—known as causality chains—instead of only evaluating a single event on its own. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
Blacklisted Signers
Traps now includes a pre-defined list of blacklisted processes by signer with the default Malware Security policy. When a process signed by a blacklisted signer tries to run, Traps now blocks its execution and raises a security event. Blacklisted signers are defined by Palo Alto Networks and changes to the default list can be delivered with content updates. If necessary, you can create an exception from a security event to remove a process from the blacklist. To disable blacklisted signers, contact Support.
Blocking Upgrades for Isolated Agents
(
Windows only
)
After you isolate an endpoint, Traps management service now disables the ability to upgrade the Traps agent. This ensures the isolation state is enforced on the endpoints, keeping them disconnected from your network. Now, if you try to select one or more isolated endpoints the option to upgrade is disabled. If you select a mix of isolated and un-isolated endpoints, Traps management service excludes the endpoint from the bulk action.
Remote Investigation and Remediation with Live Terminal
(
Windows only
)
If an event requires further investigation and remediation, you can initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, and run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity. Live Terminal is supported on endpoints that meet the following requirements.
  • Traps 6.1 or a later release
  • Windows 7 SP1 or a later release
  • Windows update patch for WinCRT (KB 2999226)—To verify the Hotfixes that are installed on the endpoint, run the systeminfo command from a command prompt.
  • Endpoint activity was reported within the last 90 minutes (as identified by the Last Seen timestamp in the endpoint details).
Retrieve Files Response Action
(
Windows only
)
You can now initiate a response action to retrieve files from Windows endpoints with Traps 6.1 directly or from the security event in Traps management service. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the
Action Tracker
.Traps management service retains retrieved files for up to one week.
Hardened Passwords Using PBKDF2 Encryption
(
Windows only
)
For increased security, the Traps agent uninstall password is now encrypted using a stronger encryption algorithm (PBKDF2) when transferred between Traps management service and the Windows agents. Traps management service automatically applies the stronger algorithm to the password for new installation packages (no password reset is required). The stronger encryption helps prevent attempts to obtain the password.

Features Introduced in June 2019

Feature
Description
Usability Enhancements for Security Events, Endpoints, and Reports
The
Security Events
,
Endpoints
, and
Reports
pages are now enhanced to improve usability. Now, when you scroll up and down the page, the headings are docked to remain visible. Also, you can scroll faster through large amounts of records.
Navigation Bar Redesign
To simplify navigation and improve visibility on wide screens, the new top navigation bar in Traps management service replaces the left navigation menu. It includes the same functionalities as before but is now grouped by the following menus:
tms_upper_bar__nav_menu.png
  • From the
    Dashboard
    menu, you can access the Traps management service dashboard and widgets.
  • From the
    Security
    menu, you can view security events, investigate files, define policy rules, manage profiles, and configure policy exceptions.
  • From the
    Endpoints
    menu, you can manage endpoints, endpoint groups, and installation packages.
  • From the
    Monitor
    menu, you can monitor administrative actions, manage logs, and generate reports.
Enhanced Filters
New filtering options simplify search in all Traps management service pages. Now, you can choose which filters to display on each page, per each session. To save your filter criteria for use in future sessions, you can pin the relevant filters. By default, the severity filter is pinned for security events and the time frame filter is pinned for time-based pages (such as
Security Events
and
Logs
).
tms_filters.png

Features Introduced in May 2019

Feature
Description
Enhanced Verdict Information for Quarantined Files
To help you assess whether to restore a quarantined file, Traps management service now provides a history of verdicts and identifies verdicts from multiple verdict-issuing sources. From the additional details view of the file, you can view the WildFire verdict, local analysis verdict, and hash exception verdict. Each verdict also indicates when the verdict was received or changed: For WildFire verdicts, the time is relative to the change in the WildFire cloud service; for local analysis verdicts, the time is relative to the last time a local analysis event was reported for the file matching the file hash; and for hash exception verdicts, the time is relative to the time the exception was created.
Log Severity Correlation
Traps management service now uses the trapsSeverity to calculate the Syslog severity based on the following enumeration mapping:
  • trapsSeverity (0) Informational now maps to Syslog severity (6) Informational.
  • trapsSeverity (1) Low now maps to Syslog severity (5) Notice.
  • trapsSeverity (2) Medium now maps to Syslog severity (4) Warning.
  • trapsSeverity (3) High now maps to Syslog severity (3) Error.
  • trapsSeverity (4) Critical now maps to Syslog severity (2) Critical.
Previously, values were calculated independently and could be calculated by different sources. Synchronizing the two sources helps provide consistency and clarity between the two fields when you use the Log Forwarding app to forward logs to an external server that receives Syslog messages (or to an email server).
Unlimited Data Export Capacity
The Traps management service export capacity for security events, endpoints, logs, and other Traps management service records is now increased to enable you to export any desired selection of records. Previously Traps management service limited exported data to 10,000 records regardless of the selection. To help you better monitor actions related to exporting data, you can now track export actions from
Actions Tracker
. In addition, Traps management service has updated the log message type (to view earlier logs, you can use the now renamed log types with the
- Legacy
suffix).
Bulk Action Capacity Increases
To streamline management and monitoring of commonly performed bulk actions, you can now initiate a bulk actions for an increased number of endpoints. The capacity change applies to the following bulk actions:
  • Upgrade Traps agents (unlimited)
  • Uninstall Traps agents (unlimited)
  • Scan endpoints (unlimited)
  • Abort endpoint scans (unlimited)
  • Restore files (up to 1,000)
The higher capacity enables you to monitor the status of larger numbers of target endpoints in a single bulk action instead of restricting bulk actions to batches of endpoints and monitoring each batch individually.
URL Migration Notice
In May, Palo Alto Networks migrated to new URLs used for communication with Traps management service. If you configured your Palo Alto Networks firewalls to use the
traps-management-service
App-ID instead of allowing access to the specific URLs, the migration is seamless. If you allowed direct access to the old URLs, you must enable access to the new URLs to ensure communication with Traps management service components.

Features Introduced in April 2019

Feature
Description
Role Management from Cortex Hub
To enable you to manage roles for all Cortex apps in a single location, you now manage roles from the Cortex hub. Any existing users who were assigned roles in the Customer Support Portal and Traps management service are automatically migrated to Cortex hub. We recommend that you review the Cortex Hub Getting Started Guide and the roles assigned to your users following this migration of roles to Cortex hub to determine if any changes are required.
In addition, the
Permissions
page from which you managed role assignments in Traps management service is now removed.
Extended On-Demand Quarantine Support
Traps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from
Files
Quarantine
.
Quarantine Visibility Enhancements
For increased visibility and management of quarantined files, the following enhancements were made:
  • Multiple file names
    —Instead of displaying only the first reported file name for a quarantined file, Traps management service now indicates files with
    Multiple names
    on
    Files
    Quarantine
    . Otherwise, if all reported files have the same name, the
    Quarantine
    displays the unique
    File Name
    . To view the quarantined file name and location on each endpoint, select the hash to open the details view.
  • Quarantine initiator
    —You can now view the user or service that initiated a quarantine action in the
    Quarantined By
    field of
    Files
    Quarantine
    . This field can reflect
    Traps Agent Policy
    when the security policy triggers the quarantine action or the username and service who initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
  • Hash visibility for source and quarantined files
    —From the security event details, you can now distinguish between the source, target, and quarantined file. In the case of macros, the security event shows the hash associated with the
    DOCUMENT
    and the hash and verdict associated with the
    MACRO
    .
  • Security events by quarantined file
    —You can now filter security events by the
    Process/File Name
    of a quarantined file. This can be useful to help locate events where the source file was not the quarantined file (for example with behavioral threat events or malicious DLLs).
Logs by Custom Timeframes
To help you quickly find server or endpoint logs that occurred during a specific time period, the
Timeframe
filter has been enhanced to allow you to define
Custom
date ranges, dates, and times.
tms-logs-custom-date-range.png
Action Initiator Tracking
The
Actions Tracker
now indicates the user and service that initiated an action in the
Created By
field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy.
Security Events by Event Type
To help you quickly find specific types of security events, you can now filter by
Event Type
. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also
Search
for a full or partial event type.
tms-security-events-by-event-type.png

Features Introduced in March 2019

Feature
Description
EDR Data Collection
(
Windows 7 with SP1 and later releases and Traps 6.0 and later releases
)
Traps can now collect detailed information about all active process, network, file, and registry activity on an endpoint and share that data with other Cortex apps. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack, the endpoints that were involved, and the damage caused.
When you enable Traps to
Monitor and collect endpoint events
in your Agent Settings profile, you must also allocate log storage in your Cortex Data Lake instance.

Features Introduced in February 2019

Feature
Description
Malware Protection for Linux
(
Traps 6.0 and later releases
)
Traps for Linux can now prevent known and unknown malware on Linux servers by leveraging WildFire threat intelligence and local analysis to analyze ELF files. When an ELF file executes on the host server or within a container on the Traps-protected host, Traps automatically suspends the execution until a WildFire or local analysis verdict is obtained. When the verdict is malware, Traps prevents the process execution and reports the event to the Traps management service. If the ELF file is unknown to WildFire, Traps can also upload it to WildFire for further analysis.
For compatibility reasons, malware analysis of ELF files on Linux servers requires kernel 3.4 and later versions released before February 4, 2019. Linux servers running other kernel versions will operate in asynchronous mode where the agent will obtain a verdict for the executed ELF file in parallel to its execution and terminate it if a malware verdict is obtained.
Response Actions
(
Traps 6.0 and later releases
)
Traps can now enforce the following response actions on the endpoint:
  • Network isolation
  • Quarantine (and restore)—Limited to PEs from malware events (you cannot quarantine Microsoft Office files). On-demand quarantine is not supported for Behavioral Threat events, however you can configure automated quarantine for Behavioral Threat Protection in your Malware Security profile.
  • Process termination—Available for most process-related security events excluding Ransomware and Behavioral Threat events.
If you also use Cortex XDR – Investigation and Response for complete visibility across Cortex XDR – Analytics and Traps, you can initiate the response actions from the Cortex XDR – Investigation and Response app. Traps management service coordinates with the Traps agent on the endpoint to enforce the response actions and tracks the action status.
Behavioral Threat Protection
(
Windows 7 with SP1 and later releases and Traps 6.0 and later releases
)
To expand Traps malware protection capabilities on Windows endpoints, Traps introduces the new Behavioral Threat Protection module. With behavioral threat protection, Traps continuously monitors endpoint activity to identify and analyze chains of events—known as
causality chains
—rather than a single event. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
When Traps detects matching activity, Traps performs the configured action and reports details about the activities that led to the security event. You can review the entire causality chain up to the causality croup owner on the
Analysis
tab of a security event. If after analyzing the flow of events, you believe the behavior is legitimate, you can define a policy exception from the security event to disable to the behavior rule on the endpoint.
Dynamic Endpoint Group Support for Unused Versions
When you create a dynamic endpoint group, Traps management service now automatically populates two version lists based on your registered Traps agents: installed and other (not-installed) versions. This enables you to include agent or operating system versions that are not currently in use but for which you want to include in policy in advance.
Uninstall Protection for Mac Endpoints
The Traps agent now provides additional tampering protection against attempts to uninstall the Traps agent on Mac endpoints. The uninstall password you configure when you first set up an installation package or configure a security profile now applies to Mac installations. You can later change the uninstall password in an Agent Settings profile.
Forensic Data Collection Customization
You can now configure preferences for forensic data collection in an Agent Settings profile. This includes the size of the memory dump collected when a security event occurs on an endpoints and whether or not to upload the forensic data automatically to Traps management service.
Log Forwarding to Email Support
Using the Log Forwarding app, you can configure email forwarding for immediate notification on Traps and Traps management service events—such as critical or high severity logs—to alert your incident response and monitoring teams. You can forward all logs or a subset of logs based on log attributes such as
Log Types
(Threat, Config, System, or Analytics) or severity.
Traps Security and Deployment Report
The Traps management service can now generate the Traps Security and Deployment Report, which provides a high-level summary of the security and deployment status of your endpoints. You can schedule the report to run on a recurring basis, or you can generate the report on-demand. You can also optionally send the report to one or more e-mail addresses.
tms-report.png
New Deployment Admin Role
Traps management service now provides a new role for deployment administrators which you can use to restrict access to deployment-related activities only. Users with the
Deployment Admin
role can view the dashboard summary for platforms, licenses, and content version distribution; manage endpoints; track endpoint management actions; create installation packages; and view logs.
tms-permissions-deployment.png

Features Introduced in January 2019

Feature
Description
Dynamic Endpoint Group Support for Operating Systems
You can now define membership for a dynamic endpoint group based on the specific endpoint type (workstation, server, or mobile) or operating system version (for example, SUSE Linux 12.1). When you define an endpoint group for an operating system, Traps management service presents a list of operating systems and versions based on your registered endpoints.
tms-endpoint-groups-operating-system-version.png
After you define your endpoint group, you can use it to manage endpoints, apply policy, or apply exceptions to endpoints of a specific type or operating system version.
Installation Package Visibility
You can now hide installation packages that are less critical or no longer relevant on the
Agent Installations
page.
tms-agent-installations-hide.png
This option provides an alternative to permanently deleting an installation package. Traps management service permits agents installed from a hidden package to register but denies agents installed from a deleted package. After you hide an installation package, you can view all hidden packages using the View filters at the top of the Agent Installations page. You can also easily unhide a package using the toggle for the package.

Related Documentation