Features Introduced in 2019
Introducing new features in the Traps management service
by month during 2019.
The following topics describe the new features introduced
in the Traps management service in 2019 by month.
Features Introduced in April 2019
Feature | Description |
|---|---|
| Role Management from Cortex Hub | To enable you to manage roles for all Cortex
apps in a single location, you now manage roles from the Cortex
hub. Any existing users who were assigned roles in the Customer
Support Portal and Traps management service are automatically migrated
to Cortex hub. We recommend that you review the Cortex Hub Getting Started Guide and
the roles assigned to your users following this migration of roles
to Cortex hub to determine if any changes are required. In
addition, the Permissions page from which
you managed role assignments in Traps management service is now
removed. |
| Extended On-Demand Quarantine Support | Traps management service now extends on-demand quarantine support to macro, ransomware, and malicious child process security events. When you use the quarantine action on a WildFire security event for a malicious macro, Traps quarantines the Microsoft office file containing the malicious macro. When you use the quarantine action on a ransomware event, Traps quarantines the source process identified as exhibiting ransomware behavior. When you use the quarantine action on a child process event, Traps quarantines the malicious child process identified as exhibiting ransomware behavior. If after you quarantine a file or process you need to restore it, you can easily do so from the security event or from . |
| Quarantine Visibility Enhancements | For increased visibility and management of quarantined files,
the following enhancements were made:
|
| Logs by Custom Timeframes | To help you quickly find server or endpoint logs that
occurred during a specific time period, the Timeframe filter
has been enhanced to allow you to define Custom date
ranges, dates, and times.  |
| Action Initiator Tracking | The Actions Tracker now indicates the user and service that initiated an action in the Created By field. In the case of policy-initiated actions, the Actions Tracker indicates the action was created by Agent Policy. |
| Security Events by Event Type | To help you quickly find specific types of security
events, you can now filter by Event Type.
Traps management service automatically populates the list of event
types that you can select based on the security events reported
by your Traps agents. To narrow the list of available event types,
you can also Search for a full or partial
event type.  |
Features Introduced in March 2019
Feature | Description |
|---|---|
| EDR Data Collection (Windows 7 with
SP1 and later releases and Traps 6.0 and later releases) | Traps can now collect detailed information
about all active process, network, file, and registry
activity on an endpoint and share that data with other Cortex
apps. This information provides Cortex apps with the endpoint context
so that you can gain insight on the overall event scope when you investigate
a threat. This includes all activities that took place during an
attack, the endpoints that were involved, and the damage caused. When
you enable Traps to Monitor and collect endpoint events in
your Agent Settings profile,
you must also allocate log storage in
your Cortex Data Lake instance. |
Features Introduced in February 2019
Feature | Description |
|---|---|
| Malware Protection for Linux (Traps
6.0 and later releases) | Traps for Linux can now
prevent known and unknown malware on Linux servers by leveraging
WildFire threat intelligence and local analysis to analyze ELF files.
When an ELF file executes on the host server or within a container
on the Traps-protected host, Traps automatically suspends the execution until
a WildFire or local analysis verdict is obtained. When the verdict
is malware, Traps prevents the process execution and reports the
event to the Traps management service. If the ELF file is unknown
to WildFire, Traps can also upload it to WildFire for further analysis. For
compatibility reasons, malware analysis of ELF files on Linux servers
requires kernel 3.4 and later versions released before February
4, 2019. Linux servers running other kernel versions will operate
in asynchronous mode where the agent will obtain a verdict for the
executed ELF file in parallel to its execution and terminate it if
a malware verdict is obtained. |
| Response Actions (Traps 6.0 and later
releases) | Traps can now enforce the following response
actions on the endpoint:
If you also use
Cortex XDR – Investigation and Response for complete visibility
across Cortex XDR – Analytics and Traps, you can initiate the response
actions from the Cortex XDR – Investigation and Response app. Traps
management service coordinates with the Traps agent on the endpoint
to enforce the response actions and tracks the action status. |
| Behavioral Threat Protection (Windows
7 with SP1 and later releases and Traps 6.0 and later releases) | To expand Traps malware protection capabilities
on Windows endpoints, Traps introduces the new Behavioral Threat
Protection module. With behavioral threat protection, Traps continuously monitors
endpoint activity to identify and analyze chains of events—known
as causality chains—rather than a single event. This
enables Traps to detect malicious activity in the chain that could
otherwise appear legitimate if inspected individually. Palo
Alto Networks defines the causality chains that are malicious as
behavioral threat rules in the default policy and delivers any changes
to the rules with content updates. While you cannot configure your
own behavioral threat rules, you can configure the action Traps
takes when it detects a match from a Malware Security profile in
Traps management service. You can also configure Traps to quarantine
the causality group owner (CGO) which initiated the activity when
Traps detects a match. When Traps detects matching activity,
Traps performs the configured action and reports details about the
activities that led to the security event. You can review the entire
causality chain up to the causality croup owner on the Analysis tab
of a security event. If after analyzing the flow of events, you believe
the behavior is legitimate, you can define a policy exception from
the security event to disable to the behavior rule on the endpoint. |
| Dynamic Endpoint Group Support for Unused Versions | When you create a dynamic endpoint group, Traps management service now automatically populates two version lists based on your registered Traps agents: installed and other (not-installed) versions. This enables you to include agent or operating system versions that are not currently in use but for which you want to include in policy in advance. |
| Uninstall Protection for Mac Endpoints | The Traps agent now provides additional tampering protection against attempts to uninstall the Traps agent on Mac endpoints. The uninstall password you configure when you first set up an installation package or configure a security profile now applies to Mac installations. You can later change the uninstall password in an Agent Settings profile. |
| Forensic Data Collection Customization | You can now configure preferences for forensic data collection in an Agent Settings profile. This includes the size of the memory dump collected when a security event occurs on an endpoints and whether or not to upload the forensic data automatically to Traps management service. |
| Log Forwarding to Email Support | Using the Log Forwarding app, you can configure email forwarding for immediate notification on Traps and Traps management service events—such as critical or high severity logs—to alert your incident response and monitoring teams. You can forward all logs or a subset of logs based on log attributes such as Log Types (Threat, Config, System, or Analytics) or severity. |
| Traps Security and Deployment Report | The Traps management service can now generate
the Traps Security and Deployment
Report, which provides a high-level summary of the security
and deployment status of your endpoints. You can schedule the report
to run on a recurring basis, or you can generate the report on-demand.
You can also optionally send the report to one or more e-mail addresses.  |
| New Deployment Admin Role | Traps management service now provides a new role for deployment
administrators which you can use to restrict access to deployment-related
activities only. Users with the Deployment Admin role
can view the dashboard summary for platforms, licenses, and content
version distribution; manage endpoints; track endpoint management actions;
create installation packages; and view logs.  |
Features Introduced in January 2019
Feature | Description |
|---|---|
| Dynamic Endpoint Group Support for Operating Systems | You can now define membership for a dynamic endpoint group based
on the specific endpoint type (workstation, server, or mobile) or
operating system version (for example, SUSE Linux 12.1). When you
define an endpoint group for an operating system, Traps management
service presents a list of operating systems and versions based
on your registered endpoints.  After you define your endpoint group, you can use
it to manage endpoints, apply policy, or apply exceptions to endpoints
of a specific type or operating system version. |
| Installation Package Visibility | You can now hide installation packages that are
less critical or no longer relevant on the Agent Installations page.  |