Features Introduced in 2019

Introducing new features in the Traps management service by month during 2019.
The following topics describe the new features introduced in the Traps management service in 2019 by month.

Features Introduced in April 2019

Feature
Description
Role Management from Cortex Hub
To enable you to manage roles for all Cortex apps in a single location, you now manage roles from the Cortex hub. Any existing users who were assigned roles in the Customer Support Portal and Traps management service are automatically migrated to Cortex hub. We recommend that you review the Cortex Hub Getting Started Guide and the roles assigned to your users following this migration of roles to Cortex hub to determine if any changes are required.
In addition, the Permissions page from which you managed role assignments in Traps management service is now removed.
Extended On-Demand Quarantine SupportTraps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from FilesQuarantine.
Quarantine Visibility EnhancementsFor increased visibility and management of quarantined files, the following enhancements were made:
  • Multiple file names—Instead of displaying only the first reported file name for a quarantined file, Traps management service now indicates files with Multiple names on FilesQuarantine. Otherwise, if all reported files have the same name, the Quarantine displays the unique File Name. To view the quarantined file name and location on each endpoint, select the hash to open the details view.
  • Quarantine initiator—You can now view the user or service that initiated a quarantine action in the Quarantined By field of FilesQuarantine. This field can reflect Traps Agent Policy when the security policy triggers the quarantine action or the username and service who initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
  • Hash visibility for source and quarantined files—From the security event details, you can now distinguish between the source, target, and quarantined file. In the case of macros, the security event shows the hash associated with the DOCUMENT and the hash and verdict associated with the MACRO.
  • Security events by quarantined file—You can now filter security events by the Process/File Name of a quarantined file. This can be useful to help locate events where the source file was not the quarantined file (for example with behavioral threat events or malicious DLLs).
Logs by Custom TimeframesTo help you quickly find server or endpoint logs that occurred during a specific time period, the Timeframe filter has been enhanced to allow you to define Custom date ranges, dates, and times.
tms-logs-custom-date-range.png
Action Initiator TrackingThe Actions Tracker now indicates the user and service that initiated an action in the Created By field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy.
Security Events by Event TypeTo help you quickly find specific types of security events, you can now filter by Event Type. Traps management service automatically populates the list of event types that you can select based on the security events reported by your Traps agents. To narrow the list of available event types, you can also Search for a full or partial event type.
tms-security-events-by-event-type.png

Features Introduced in March 2019

Feature
Description
EDR Data Collection
(Windows 7 with SP1 and later releases and Traps 6.0 and later releases)
Traps can now collect detailed information about all active process, network, file, and registry activity on an endpoint and share that data with other Cortex apps. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack, the endpoints that were involved, and the damage caused.
When you enable Traps to Monitor and collect endpoint events in your Agent Settings profile, you must also allocate log storage in your Cortex Data Lake instance.

Features Introduced in February 2019

Feature
Description
Malware Protection for Linux
(Traps 6.0 and later releases)
Traps for Linux can now prevent known and unknown malware on Linux servers by leveraging WildFire threat intelligence and local analysis to analyze ELF files. When an ELF file executes on the host server or within a container on the Traps-protected host, Traps automatically suspends the execution until a WildFire or local analysis verdict is obtained. When the verdict is malware, Traps prevents the process execution and reports the event to the Traps management service. If the ELF file is unknown to WildFire, Traps can also upload it to WildFire for further analysis.
For compatibility reasons, malware analysis of ELF files on Linux servers requires kernel 3.4 and later versions released before February 4, 2019. Linux servers running other kernel versions will operate in asynchronous mode where the agent will obtain a verdict for the executed ELF file in parallel to its execution and terminate it if a malware verdict is obtained.
Response Actions
(Traps 6.0 and later releases)
Traps can now enforce the following response actions on the endpoint:
  • Network isolation
  • Quarantine (and restore)—Limited to PEs from malware events (you cannot quarantine Microsoft Office files). On-demand quarantine is not supported for Behavioral Threat events, however you can configure automated quarantine for Behavioral Threat Protection in your Malware Security profile.
  • Process termination—Available for most process-related security events excluding Ransomware and Behavioral Threat events.
If you also use Cortex XDR – Investigation and Response for complete visibility across Cortex XDR – Analytics and Traps, you can initiate the response actions from the Cortex XDR – Investigation and Response app. Traps management service coordinates with the Traps agent on the endpoint to enforce the response actions and tracks the action status.
Behavioral Threat Protection
(Windows 7 with SP1 and later releases and Traps 6.0 and later releases)
To expand Traps malware protection capabilities on Windows endpoints, Traps introduces the new Behavioral Threat Protection module. With behavioral threat protection, Traps continuously monitors endpoint activity to identify and analyze chains of events—known as causality chains—rather than a single event. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
When Traps detects matching activity, Traps performs the configured action and reports details about the activities that led to the security event. You can review the entire causality chain up to the causality croup owner on the Analysis tab of a security event. If after analyzing the flow of events, you believe the behavior is legitimate, you can define a policy exception from the security event to disable to the behavior rule on the endpoint.
Dynamic Endpoint Group Support for Unused VersionsWhen you create a dynamic endpoint group, Traps management service now automatically populates two version lists based on your registered Traps agents: installed and other (not-installed) versions. This enables you to include agent or operating system versions that are not currently in use but for which you want to include in policy in advance.
Uninstall Protection for Mac EndpointsThe Traps agent now provides additional tampering protection against attempts to uninstall the Traps agent on Mac endpoints. The uninstall password you configure when you first set up an installation package or configure a security profile now applies to Mac installations. You can later change the uninstall password in an Agent Settings profile.
Forensic Data Collection CustomizationYou can now configure preferences for forensic data collection in an Agent Settings profile. This includes the size of the memory dump collected when a security event occurs on an endpoints and whether or not to upload the forensic data automatically to Traps management service.
Log Forwarding to Email SupportUsing the Log Forwarding app, you can configure email forwarding for immediate notification on Traps and Traps management service events—such as critical or high severity logs—to alert your incident response and monitoring teams. You can forward all logs or a subset of logs based on log attributes such as Log Types (Threat, Config, System, or Analytics) or severity.
Traps Security and Deployment ReportThe Traps management service can now generate the Traps Security and Deployment Report, which provides a high-level summary of the security and deployment status of your endpoints. You can schedule the report to run on a recurring basis, or you can generate the report on-demand. You can also optionally send the report to one or more e-mail addresses.
tms-report.png
New Deployment Admin Role
Traps management service now provides a new role for deployment administrators which you can use to restrict access to deployment-related activities only. Users with the Deployment Admin role can view the dashboard summary for platforms, licenses, and content version distribution; manage endpoints; track endpoint management actions; create installation packages; and view logs.
tms-permissions-deployment.png

Features Introduced in January 2019

Feature
Description
Dynamic Endpoint Group Support for Operating Systems
You can now define membership for a dynamic endpoint group based on the specific endpoint type (workstation, server, or mobile) or operating system version (for example, SUSE Linux 12.1). When you define an endpoint group for an operating system, Traps management service presents a list of operating systems and versions based on your registered endpoints.
tms-endpoint-groups-operating-system-version.png
After you define your endpoint group, you can use it to manage endpoints, apply policy, or apply exceptions to endpoints of a specific type or operating system version.
Installation Package Visibility
You can now hide installation packages that are less critical or no longer relevant on the Agent Installations page.
tms-agent-installations-hide.png
This option provides an alternative to permanently deleting an installation package. Traps management service permits agents installed from a hidden package to register but denies agents installed from a deleted package. After you hide an installation package, you can view all hidden packages using the View filters at the top of the Agent Installations page. You can also easily unhide a package using the toggle for the package.

Related Documentation