Features Introduced in 2019
Introducing new features in the Traps management service
by month during 2019.
The following topics describe the new features introduced
in the Traps management service in 2019 by month.
Features Introduced in October 2019
Feature | Description |
---|---|
Automated Incident Response with Demisto | You can now integrate Traps management service
with the Demisto security platform through the Traps management
service API. The integration enables you to automate response actions
and alerts on endpoints protected by Traps. For example, you can
apply a Demisto playbook to automatically isolate a Traps endpoint
that has open ports to a malicious URL. To integrate Traps management
service and the Demisto, you must have Super Admin privileges
and a license for both Traps management service and the Demisto platform. |
Features Introduced in September 2019
Feature | Description |
---|---|
Configurable Agent Proxy Settings | In environments where Traps agents communicate
with the Traps management service through a system-wide proxy, you
can now set an application specific proxy for
the Traps agent without affecting the communication of other applications
on the endpoint. You can set, manage and disable the Traps agent
proxy configuration in the Traps management service.
Agent
proxy settings require Traps agent 6.1.2 or later versions. |
Traps for Restricted Networks | With the Palo Alto Networks Broker Service,
you can now deploy Traps in restricted networks where endpoints
do not have a direct connection to the internet. The Broker Service
acts as a proxy that mediates communication between the endpoints
in your restricted network and Traps management service. This enables
your Traps agents to receive security policy updates from, and send
logs and files to Traps management service without a direct connection.
To use the Broker Service, you deploy
a Broker VM on your network and configure your Traps agents for
communication with the Broker VM instead of the Traps management
service. The Broker Service requires Traps agent 6.1.2 or later
versions. |
New Privileged Administrative Roles for Sensitive
Response Actions | You can now minimize sensitive access to Traps
endpoints by assigning one of two new administrative roles from the
hub to your Traps management service users. The new roles, Privileged
Security Admin and Privileged IT Admin, restrict who can perform File
Retrieval and Live Terminal response actions on Traps
endpoints.
File Retrieval and Live Terminal actions. |
New Search Capabilities for Actions Tracker | To help you quickly locate the administrative
actions initiated by Traps management service users, five search filters were added
to the Actions Tracker window:
|
Features Introduced in August 2019
Feature | Description |
---|---|
Integrated Security Events Analysis | When you investigate the details of a security
event in Traps terminal service, you can now continue your analysis in Cortex XDR to
identify the root cause and timeline of events. To use integrated
security event analysis with Cortex XDR, you must have a valid Cortex
XDR license and enable the Monitor and collect enhanced
endpoint data capability in an Agent Settings profile. |
Enabling Enhanced Data Collection (change to
previous behavior) | The option to Monitor and collect
enhanced endpoint data can now be enabled only if you
have a valid Cortex XDR license and allocated log storage in your
Cortex Data Lake instance. When enabled, Traps shares detailed information
about all active file, process, network, and registry activity on
an endpoint with other Cortex apps. This information provides Cortex
apps with the endpoint context so that you can gain insight on the
overall event scope when you investigate a threat. If you do not
have a valid Cortex XDR license, the Monitor and collect
enhanced endpoint data option in the Agent Settings profile is grayed
out and disabled. |
Improved Grid for Actions Tracker | The Actions Tracker is
now enhanced to improve usability. Now, when you scroll up and down
the page, the headings are docked to remain visible. Also, you can
scroll faster through large amounts of records. |
Features Introduced in July 2019
Feature | Description |
---|---|
New Response Actions for Mac and Linux Endpoints | To take immediate action when a security event
occurs on a Mac endpoint or a Linux server with Traps 6.1, you can
now initiate the following response actions:
You can review the
status of the response actions both from the security event and
from the Actions Tracker . |
Data Collection for Mac and Linux Endpoints | Traps 6.1 now extends data collection and
sharing capabilities to Mac and Linux endpoints. When enabled to
do so, Traps uploads endpoint activity data to the Cortex Data Lake.
This information provides Cortex apps with the endpoint context
so that you can gain insight into the overall event scope when you
investigate a threat. This includes all activities that took place
during an attack and the endpoints that were involved. When
you enable Traps to Monitor and collect endpoint
events in your Agent Settings profile,
you must also allocate log storage for Endpoint Data in
your Cortex Data Lake instance. |
Behavioral Threat Protection for Mac and Linux
Endpoints | Traps 6.1 now extends Behavioral Threat
Protection to protect Mac and Linux endpoints. This enables Traps
to monitor endpoint activity to identify and analyze chains of events—known as
causality chains—instead of only evaluating a single event on its own.
This enables Traps to detect malicious activity in the chain that
could otherwise appear legitimate if inspected individually. Palo
Alto Networks defines the causality chains that are malicious as
behavioral threat rules in the default policy and delivers any changes
to the rules with content updates. While you cannot configure your
own behavioral threat rules, you can configure the action Traps
takes when it detects a match from a Malware Security profile in
Traps management service. You can also configure Traps to quarantine
the causality group owner (CGO) which initiated the activity when
Traps detects a match. |
Blacklisted Signers | Traps now includes a pre-defined list of blacklisted
processes by signer with the default Malware Security policy. When
a process signed by a blacklisted signer tries to run, Traps now
blocks its execution and raises a security event. Blacklisted signers
are defined by Palo Alto Networks and changes to the default list
can be delivered with content updates. If necessary,
you can create an exception from a security event to remove a process from
the blacklist. To disable blacklisted signers, contact Support. |
Blocking Upgrades for Isolated Agents ( Windows only ) | After you isolate an endpoint, Traps
management service now disables the ability to upgrade the Traps
agent. This ensures the isolation state is enforced on the endpoints,
keeping them disconnected from your network. Now, if you try to
select one or more isolated endpoints the option to upgrade is disabled.
If you select a mix of isolated and un-isolated endpoints, Traps management
service excludes the endpoint from the bulk action. |
Remote Investigation and Remediation with
Live Terminal ( Windows only ) | If an event requires further investigation
and remediation, you can initiate a Live Terminal to the remote
endpoint. This enables you to navigate and manage files in the file
system, and run Windows or Python commands, and manage active processes.
After you terminate the Live Terminal session, you also have the
option to save a log of the session activity. Live Terminal is supported
on endpoints that meet the following requirements.
|
Retrieve Files Response Action ( Windows only ) | You can now initiate a response action to retrieve files
from Windows endpoints with Traps 6.1 directly or from the security
event in Traps management service. You can retrieve up to 20 files
related to a security event (up to 200MB total). As part of the
20 files, you can retrieve additional files by supplying the file path.
Outside of a security event, you can retrieve files from up to 10
different endpoints. To track the status of a file retrieval action, you
can view the action from the Action Tracker .Traps
management service retains retrieved files for up to one week. |
Hardened Passwords Using PBKDF2 Encryption ( Windows only ) | For increased security, the Traps agent uninstall
password is now encrypted using a stronger encryption algorithm
(PBKDF2) when transferred between Traps management service and the
Windows agents. Traps management service automatically applies the stronger
algorithm to the password for new installation packages (no password
reset is required). The stronger encryption helps prevent attempts
to obtain the password. |
Features Introduced in June 2019
Feature | Description |
---|---|
Usability Enhancements for Security Events, Endpoints,
and Reports | The Security Events , Endpoints ,
and Reports pages are now enhanced to improve
usability. Now, when you scroll up and down the page, the headings
are docked to remain visible. Also, you can scroll faster through
large amounts of records. |
Navigation Bar Redesign | To simplify navigation and improve visibility
on wide screens, the new top navigation bar in Traps management
service replaces the left navigation menu. It includes the same
functionalities as before but is now grouped by the following menus: ![]()
|
Enhanced Filters | New filtering options simplify search in all
Traps management service pages. Now, you can choose which filters
to display on each page, per each session. To save your filter criteria
for use in future sessions, you can pin the relevant filters. By
default, the severity filter is pinned for security events and the
time frame filter is pinned for time-based pages (such as Security Events and Logs ).![]() |
Features Introduced in May 2019
Feature | Description |
---|---|
Enhanced Verdict Information for Quarantined
Files | To help you assess whether to restore a quarantined file,
Traps management service now provides a history of verdicts and
identifies verdicts from multiple verdict-issuing sources. From
the additional details view of the file, you can view the WildFire
verdict, local analysis verdict, and hash exception verdict. Each
verdict also indicates when the verdict was received or changed:
For WildFire verdicts, the time is relative to the change in the
WildFire cloud service; for local analysis verdicts, the time is relative
to the last time a local analysis event was reported for the file
matching the file hash; and for hash exception verdicts, the time
is relative to the time the exception was created. |
Log Severity Correlation | Traps management service now uses the trapsSeverity to calculate
the Syslog severity based
on the following enumeration mapping:
Previously, values were calculated independently
and could be calculated by different sources. Synchronizing the
two sources helps provide consistency and clarity between the two
fields when you use the Log Forwarding app to forward logs to an
external server that receives Syslog messages (or to an email server). |
Unlimited Data
Export Capacity | The Traps management service export capacity for security events,
endpoints, logs, and other Traps management service records is now
increased to enable you to export any desired selection of records.
Previously Traps management service limited exported data to 10,000
records regardless of the selection. To help you better
monitor actions related to exporting data, you can now track export
actions from Actions Tracker . In addition,
Traps management service has updated the log message type (to view
earlier logs, you can use the now renamed log types with the - Legacy suffix). |
Bulk Action Capacity Increases | To streamline management and monitoring of
commonly performed bulk actions, you can now initiate a bulk actions
for an increased number of endpoints. The capacity change applies
to the following bulk actions:
|
URL Migration Notice | In May, Palo Alto Networks migrated to new
URLs used for communication with Traps management service. If you
configured your Palo Alto Networks firewalls to use the traps-management-service App-ID instead
of allowing access to the specific URLs, the migration is seamless.
If you allowed direct access to the old URLs, you must enable access to the new URLs to
ensure communication with Traps management service components. |
Features Introduced in April 2019
Feature | Description |
---|---|
Role Management from Cortex Hub | To enable you to manage roles for all Cortex
apps in a single location, you now manage roles from the Cortex
hub. Any existing users who were assigned roles in the Customer
Support Portal and Traps management service are automatically migrated
to Cortex hub. We recommend that you review the Cortex Hub Getting Started Guide and
the roles assigned to your users following this migration of roles
to Cortex hub to determine if any changes are required. In
addition, the Permissions page from which you
managed role assignments in Traps management service is now removed. |
Extended On-Demand Quarantine Support | Traps management service now extends on-demand quarantine support to
macro, ransomware, and malicious child process security events.
When you use the quarantine action on a WildFire security event
for a malicious macro, Traps quarantines the Microsoft office file
containing the malicious macro. When you use the quarantine action on
a ransomware event, Traps quarantines the source process identified
as exhibiting ransomware behavior. When you use the quarantine action
on a child process event, Traps quarantines the malicious child
process identified as exhibiting ransomware behavior. If after you
quarantine a file or process you need to restore it, you can easily
do so from the security event or from Files Quarantine |
Quarantine Visibility Enhancements | For increased visibility and management of quarantined files,
the following enhancements were made:
|
Logs by Custom Timeframes | To help you quickly find server or endpoint logs that
occurred during a specific time period, the Timeframe filter
has been enhanced to allow you to define Custom date
ranges, dates, and times. ![]() |
Action Initiator Tracking | The Actions Tracker now indicates
the user and service that initiated an action in the Created
By field. In the case of policy-initiated actions, the Actions Tracker indicates
the action was created by Agent Policy. |
Security Events by Event Type | To help you quickly find specific types of security
events, you can now filter by Event Type .
Traps management service automatically populates the list of event
types that you can select based on the security events reported
by your Traps agents. To narrow the list of available event types,
you can also Search for a full or partial event
type. ![]() |
Features Introduced in March 2019
Feature | Description |
---|---|
EDR Data Collection ( Windows 7
with SP1 and later releases and Traps 6.0 and later releases ) | Traps can now collect detailed information
about all active process, network, file, and registry
activity on an endpoint and share that data with other Cortex
apps. This information provides Cortex apps with the endpoint context
so that you can gain insight on the overall event scope when you
investigate a threat. This includes all activities that took place during
an attack, the endpoints that were involved, and the damage caused. When
you enable Traps to Monitor and collect endpoint events in
your Agent Settings profile,
you must also allocate log storage in
your Cortex Data Lake instance. |
Features Introduced in February 2019
Feature | Description |
---|---|
Malware Protection for Linux ( Traps
6.0 and later releases ) | Traps for Linux can now
prevent known and unknown malware on Linux servers by leveraging
WildFire threat intelligence and local analysis to analyze ELF files.
When an ELF file executes on the host server or within a container
on the Traps-protected host, Traps automatically suspends the execution
until a WildFire or local analysis verdict is obtained. When the
verdict is malware, Traps prevents the process execution and reports
the event to the Traps management service. If the ELF file is unknown
to WildFire, Traps can also upload it to WildFire for further analysis. For
compatibility reasons, malware analysis of ELF files on Linux servers
requires kernel 3.4 and later versions released before February
4, 2019. Linux servers running other kernel versions will operate
in asynchronous mode where the agent will obtain a verdict for the
executed ELF file in parallel to its execution and terminate it
if a malware verdict is obtained. |
Response Actions ( Traps 6.0 and
later releases ) | Traps can now enforce the following response actions
on the endpoint:
If you also use
Cortex XDR – Investigation and Response for complete visibility
across Cortex XDR – Analytics and Traps, you can initiate the response actions
from the Cortex XDR – Investigation and Response app. Traps management
service coordinates with the Traps agent on the endpoint to enforce
the response actions and tracks the action status. |
Behavioral Threat Protection ( Windows
7 with SP1 and later releases and Traps 6.0 and later releases ) | To expand Traps malware protection capabilities on
Windows endpoints, Traps introduces the new Behavioral Threat Protection
module. With behavioral threat protection, Traps continuously monitors
endpoint activity to identify and analyze chains of events—known as causality
chains —rather than a single event. This enables Traps to
detect malicious activity in the chain that could otherwise appear legitimate
if inspected individually. Palo Alto Networks defines the
causality chains that are malicious as behavioral threat rules in
the default policy and delivers any changes to the rules with content
updates. While you cannot configure your own behavioral threat rules,
you can configure the action Traps takes when it detects a match
from a Malware Security profile in
Traps management service. You can also configure Traps to quarantine
the causality group owner (CGO) which initiated the activity when
Traps detects a match. When Traps detects matching activity,
Traps performs the configured action and reports details about the
activities that led to the security event. You can review the entire
causality chain up to the causality croup owner on the Analysis tab
of a security event. If after analyzing the flow of events, you
believe the behavior is legitimate, you can define a policy exception
from the security event to disable to the behavior rule on the endpoint. |
Dynamic Endpoint Group Support for Unused
Versions | When you create a dynamic endpoint group, Traps management
service now automatically populates two version lists based on your
registered Traps agents: installed and other (not-installed) versions.
This enables you to include agent or operating system versions that
are not currently in use but for which you want to include in policy
in advance. |
Uninstall Protection for Mac Endpoints | The Traps agent now provides additional tampering protection
against attempts to uninstall the Traps agent on Mac endpoints.
The uninstall password you configure when you first set up an installation
package or configure a security profile now applies to Mac installations.
You can later change the uninstall password in an Agent Settings
profile. |
Forensic Data Collection Customization | You can now configure preferences for forensic
data collection in an Agent Settings profile. This includes the size
of the memory dump collected when a security event occurs on an
endpoints and whether or not to upload the forensic data automatically
to Traps management service. |
Log Forwarding to Email Support | Using the Log Forwarding app, you can configure email forwarding for immediate
notification on Traps and Traps management service events—such as
critical or high severity logs—to alert your incident response and
monitoring teams. You can forward all logs or a subset of logs based
on log attributes such as Log Types (Threat,
Config, System, or Analytics) or severity. |
Traps Security and Deployment Report | The Traps management service can now generate
the Traps Security and Deployment
Report, which provides a high-level summary of the security and
deployment status of your endpoints. You can schedule the report
to run on a recurring basis, or you can generate the report on-demand.
You can also optionally send the report to one or more e-mail addresses. ![]() |
New Deployment Admin Role | Traps management service now provides a new role for deployment
administrators which you can use to restrict access to deployment-related
activities only. Users with the Deployment Admin role
can view the dashboard summary for platforms, licenses, and content
version distribution; manage endpoints; track endpoint management
actions; create installation packages; and view logs.![]() |
Features Introduced in January 2019
Feature | Description |
---|---|
Dynamic Endpoint Group Support for Operating Systems | You can now define membership for a dynamic endpoint group based
on the specific endpoint type (workstation, server, or mobile) or
operating system version (for example, SUSE Linux 12.1). When you
define an endpoint group for an operating system, Traps management
service presents a list of operating systems and versions based
on your registered endpoints. ![]() After you define your endpoint group, you can use
it to manage endpoints, apply policy, or apply exceptions to endpoints
of a specific type or operating system version. |
Installation Package Visibility | You can now hide installation packages that
are less critical or no longer relevant on the Agent Installations page.![]() |