You are on page 1of 134

Traps Management Service

Administrator’s Guide

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation


• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2017-2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
June 29, 2018

2 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE |


Table of Contents
Traps Management Service Overview........................................................... 5
Traps Management Service...................................................................................................................... 7

Get Started with the Traps Management Service.......................................9


Plan Your Traps Management Service Deployment........................................................................ 11
Migrate from the Traps Endpoint Security Manager to the Traps Management Service........ 12
Differences Between Endpoint Security Manager and Traps Management
Service............................................................................................................................................. 14
Assign Roles to Manage Cloud Services............................................................................................. 17
Set Up Directory Sync Service.............................................................................................................. 19
Activate the Traps Management Service............................................................................................20
Manage Logging Storage for Traps...................................................................................................... 24
Enable Access to the Traps Management Service............................................................................27
Use the Traps Management Service Dashboard...............................................................................29

Administer the Traps Management Service............................................... 31


Manage Traps Installation Packages.................................................................................................... 33
Create an Installation Package..................................................................................................33
View Details About an Installation Package..........................................................................34
Remove an Installation Package............................................................................................... 35
Define Endpoint Groups......................................................................................................................... 37
Manage Registered Endpoints............................................................................................................... 39
Filter the Endpoints..................................................................................................................... 39
View Details About an Endpoint..............................................................................................39
View the Endpoint Security Policy.......................................................................................... 40
Retrieve Logs from an Endpoint...............................................................................................41
Upgrade Traps...............................................................................................................................42
Uninstall Traps.............................................................................................................................. 43
Delete an Endpoint......................................................................................................................43
About Traps Licenses...............................................................................................................................45

Manage Endpoint Policy................................................................................. 47


Endpoint Policy Concepts.......................................................................................................................49
Protection Capabilities................................................................................................................ 49
Protection Modules..................................................................................................................... 52
Processes Protected by the Default Policy........................................................................... 55
Customizable Traps Settings..................................................................................................... 60
Traps Profiles............................................................................................................................................. 62
Add a New Exploit Security Profile.........................................................................................62
Add a New Malware Security Profile......................................................................................64
Add a New Restrictions Security Profile................................................................................ 68
Add a New Agent Settings Profile...........................................................................................70
Configure a Policy Rule........................................................................................................................... 72

Assess and Remediate Security Events.......................................................75


What is a Security Event?...................................................................................................................... 77

TABLE OF CONTENTS iii


Security Event Severity Levels..................................................................................................77
Security Event Details.................................................................................................................79
WildFire Analysis Details............................................................................................................81
Assess Security Events............................................................................................................................ 83
Create a Policy Exception.......................................................................................................................86
Create a Process Exception.......................................................................................................86
Create a Hash Exception............................................................................................................89
Manage Support Exceptions......................................................................................................91
Scan an Endpoint for Malware..............................................................................................................93
Investigate a File....................................................................................................................................... 96
Review WildFire Analysis Details......................................................................................................... 98
Manage Quarantined Files................................................................................................................... 100

View and Manage Logs................................................................................ 105


Log Types and Severity Levels............................................................................................................107
Endpoint Logs............................................................................................................................. 107
Server Logs.................................................................................................................................. 110
Data Retrieval..........................................................................................................................................118
View Logs from the Traps Management Service........................................................................... 119
Filter Logs on the Traps Management Service............................................................................... 120
Export Logs from the Traps Management Service.........................................................................121
Forward Traps Logs to a Syslog Server............................................................................................ 122
Configure Log Forwarding of Traps Logs............................................................................ 122
Traps Logs Format for Syslog Export from the Logging Service.................................... 123

iv TABLE OF CONTENTS
Traps Management Service Overview
> Traps Management Service

5
6 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Traps Management Service Overview
© 2018 Palo Alto Networks, Inc.
Traps Management Service
As new malware variants pop up around the globe and new software bugs and vulnerabilities are
discovered, it can be challenging to ensure that your endpoints remain secure. With the Traps management
service, a cloud-based endpoint security service, you save the time and cost of having to build out your
own global endpoint security infrastructure. The simplified deployment, which requires no server licenses,
databases, or other infrastructure to get started, enables you to start protecting your endpoints quickly.
In addition, you forward logs generated by the Traps components to the Logging Service, and view the logs
directly from the Traps management service.

With the Traps management service, Palo Alto Networks will deploy and manage the security infrastructure
globally to manage the endpoint security policy for both local and remote endpoints, and ensure that the
service is secure, resilient, up to date, and available to you when you need it. This allows you to focus less
on deploying the infrastructure and more on defining the polices to meet your corporate usage guidelines.
The Traps management service is comprised of the following components:
• Traps Management Service Web Interface—A cloud-based security infrastructure service that is
designed to minimize the operational challenges associated with protecting your endpoints. From the
Traps management service, you can manage the endpoint security policy, review security events as they
occur, and perform additional analysis of associated logs.

You can host your Traps management service tenant in either the US Region or EU
Region.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Traps Management Service Overview 7


© 2018 Palo Alto Networks, Inc.
• Traps Agents—Each local or remote endpoint is protected by the Traps agent. The Traps agent enforces
your security policy on the endpoint and reports when it detects a threat. Traps agents support secure
communication with the Traps management service using Transport Layer Security (TLS) 1.2.
• Palo Alto Networks cloud-delivered security services:
• Logging Service—A cloud-based logging infrastructure that allows you to centralize the collection and
storage of logs generated by your Traps agents regardless of location. The Traps agents and Traps
management service forward all logs to the Logging Service. You can view the logs for your agents
in the Traps management service. With the Log Forwarding app, you can also forward logs to an
external syslog receiver.

You can host your Logging Service instance in either the US Region or EU Region.

• Directory Sync Service—The Directory Sync Service enables Palo Alto Networks cloud-based
applications to leverage computer, user, and group attributes from your on-premise Active Directory
for use in policy and endpoint management. The Directory Sync Service uses an on-premise agent to
collect computer, user, and group attributes from your on-premise Active Directory. The Directory
Sync Service agent runs in the background to collect the Active Directory information and syncs it
with the cloud-based Directory Sync Service that you configure using the Cloud Services Portal.

You can host your Directory Sync Service instance in either the US Region or EU
Region.
• WildFire cloud service—The WildFire cloud service identifies previously unknown malware and
generates signatures that Palo Alto Networks firewalls and the Traps management service can use
to then detect and block the malware. When a Traps agent detects an unknown sample (attempts
to run a macro, DLL, or executable file), the Traps management service can automatically forward
the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample
displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be
benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly-
discovered malware, and makes the latest signatures globally available every five minutes.

8 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Traps Management Service Overview


Get Started with the Traps Management
Service
Welcome to the Traps management service! Follow the instructions in the following sections
to get up and running quickly and easily:

> Plan Your Traps Management Service Deployment on page 11


> Migrate from the Traps Endpoint Security Manager to the Traps Management Service
> Assign Roles to Manage Cloud Services
> Set Up Directory Sync Service
> Activate the Traps Management Service
> Manage Logging Storage for Traps
> Enable Access to the Traps Management Service
> Use the Traps Management Service Dashboard

9
10 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
Plan Your Traps Management Service
Deployment
Before you get started with the Traps management service, plan your deployment:
Determine your log storage requirements. By default, the Traps management service includes 100GB of
log storage when you activate the Traps management service. If you require additional log storage you
must purchase an additional Logging Service license.
Determine whether you will forward both firewall logs and Traps management service logs to the same
Logging Service instance. If you plan to forward both, you must first activate the Logging Service from
the Customer Support Portal instead of activating the Logging Service from the Cloud Services Portal
and then associate it with the Traps management service during activation. This sequence allows you to
associate the Auth code with Panorama and later associate the same Logging Service instance with the
Traps management service.
Determine the region in which you want to host the Traps management service and any associated
services (Logging Service and Directory Sync Service).
Calculate the bandwidth required to support the number of agents you plan to deploy. For every
100,000 agents, you will need to allocate 120Mbps of bandwidth. The bandwidth requirement scales
linearly. For example, to support 300,000 agents, plan to allocate 360Mbps of bandwidth (three times
the amount required for 100,000 agents).

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 11
© 2018 Palo Alto Networks, Inc.
Migrate from the Traps Endpoint Security
Manager to the Traps Management Service
You can easily migrate the Traps agent from management by the Endpoint Security Manager (ESM) to the
Traps management service. The minimum version of the ESM and Traps agent that supports migration
depends on the endpoint operating system:
• Windows and Mac—Endpoint Security Manager (ESM) 4.1.3 and Traps agent 4.1.0 on Windows and Mac
endpoints.
• Linux—Endpoint Security Manager (ESM) 4.2 and from Traps agent 4.2 on Linux endpoints.
Before you migrate to the Traps management service:
Review Differences Between Endpoint Security Manager and Traps Management Service to determine
whether upgrading to the Traps management service is right for you.
Sanitize your security policy—Because the policy structure for Traps management service is different
than Traps Endpoint Security Manager (ESM), you cannot migrate rules from an existing deployment.
Before migrating to Traps management service, we recommend that you review existing user rules for
each policy type and remove any that are no longer required. For example, remove any rules that are
resolved in content updates or that apply to older Traps agent versions.
Review restore candidates—Before migrating to Traps management service, review any files that
were quarantined and determine whether the file needs to be restored or any additional action to
remeditate the endpoint is required. After you upgrade the agent version to Traps 5.0, the agent will not
communicate with the Traps ESM, and therefore will not respond to requests from the ESM to restore
files.
Review security events—Review and address any events that require remediation before migrating to
the Traps management service. Note that security events that were not sent to the ESM before installing
the new agents will not be sent to the Traps management service.
Locate your ESM Auth code—You can locate the Auth code in the Customer Support Portal (Assets >
Advanced Endpoint Protection).

STEP 1 | Activate the Traps Management Service.


As an existing ESM customer, you can use your ESM Auth code to activate the Traps management
service without purchasing additional licenses. Using the same Auth code enables you to apply the same
license pool and expiration specifications to your Traps management service instance.
Log into the Cloud Services Portal to activate the Traps management service. During activation you can
also associate the Traps management service with a Logging Service instance and Directory Sync Service
instance.

STEP 2 | Import hash overrides as hash exceptions in the Traps management service.
1. From the ESM Console, select Settings.
2. Generate a Tech Support File and download it when it finishes.
3. Extract the TechSupport ZIP file which contains two zipped files (one for Core and one for
Console).
4. Extract the Console ZIP file.
5. Open the DBQueries folder and locate the Verdict_Override_Exports.csv file.
This file contains all the hash overrides defined in the ESM Console.
6. Log in to the Traps management service and select Exceptions > Hash Exceptions.

12 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
7. Select Actions > Import CVS.
8. Select and then Upload the Verdict_Override_Exports.csv file.

If necessary, resolve any conflicts encountered during the upload and retry.
9. Select Import to confirm and then OK when the Traps management service finishes importing the
hash exceptions.

STEP 3 | Migrate trusted signers and whitelisted paths.


1. From the Traps management service, Add a New Malware Security Profile for any platforms to which
you want to add whitelisted signers or paths. Use the default profile settings, or modify an existing
profile that you already created.
2. To allow trusted signers previously seen in your environment, add the signer name (Windows) or
SHA256 of the certificate that signs the file (MacOS) to the Whitelist Singers list of the relevant
Malware Security Profile.
3. Evaluate the WildFire rule(s) for each platform on the ESM Console and identify any whitelisted paths
that are still relevant and add them to the Whitelist Folders area of the appropriate Malware Security
Profile on the Traps management service.

There may be more than one WildFire rule with whitelists. While the ESM merges
WildFire rules, this capability is not available in the Traps management service.

Ensure that you migrate paths to the relevant Malware Security Profile for each platform:
• Copy paths in macOS WildFire rules to the Mach-O Files whitelist in a MacOS profile.
• Copy paths in Windows WildFire rules for Executables or DLL files to the Portable Executables
and DLLs whitelist in a Windows profile.
• Copy paths in Windows WildFire rules for Office files to the Office Files whitelist in a Windows
profile.
4. Configure a Policy Rule for each group of target objects to which the profile (and any associated hash
exceptions) applies.
You can return to the Profiles > Malware Profile page to specify the target objects after you upgrade
the Traps agent.

STEP 4 | Migrate rules which disable protection on processes.


For each remaining rule which disables protection on a specific process or disables a specific protection
module on the process, Create a Process Exception on the Traps management service and note the
specific endpoints to which the exception applies. You can return to Process Exceptions page to restrict
the exception to the specific endpoints after you upgrade the Traps agent.

STEP 5 | Upgrade the Traps agent to Traps 5.0.


• Traps 4.1 (Windows and Mac) or Traps 4.2 (Linux) and later releases

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 13
© 2018 Palo Alto Networks, Inc.
• 1. From the Traps management service, Create an Installation Package with an installation type as
Upgrade from ESM.
2. Download the package to a location reachable to the ESM.
3. From the ESM Console, disable services protection and then create an agent action rule to
upgrade the Traps agent using the package created from the Traps management service.

Because this procedure is valid only for a specific version of Traps agents, we
recommend using a condition for the action rule to upgrade the agents which
specifies the Traps agent version.
4. Save and Apply the rule.
• Older Traps versions
There are three options for upgrading older Traps versions:
• Upgrade the older version to a version which supports migration using action rules, and then use
the previous workflow to upgrade the Traps agent.
• Upgrade the Traps agent using a third-party software deployment tool such as JAMF or SCCM.
With this method you must uninstall the agent and install a fresh installation package of Traps 5.0
instead of an upgrade package.
• Manually uninstall the older Traps agent and install a fresh installation package of Traps 5.0.
After the upgraded Traps agent begins communicating with the Traps management service. Endpoints
that successfully check in with the Traps management service are displayed on the Endpoints page and
are eligible for assignment in Endpoint Groups and policy rules.

STEP 6 | Return to the Policy Rules and Exceptions pages to restrict by specific endpoints.

Differences Between Endpoint Security Manager and Traps


Management Service
The following table compares capabilities between the Traps Endpoint Security Manager (ESM) 4.1 and the
Traps management service. A — indicates a capability is not currently available.

Feature Endpoint Security Manager Traps management service

Visibility

Visibility into all file executions— Hash Control File Analytics


including when Office files open
and DLLs load into sensitive
processes—and the file’s
associated WildFire Report.

Administrative control to Hash Control File Analytics


override verdicts for files that
ran previously. Set verdicts from
Benign to Malware and Malware
to Benign.

Import never seen hashes and Hash Control Exceptions > Hash Exceptions
set verdicts for them.

14 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
Feature Endpoint Security Manager Traps management service

Display quarantined files that are Hash Control Logs > Restore Candidates
eligible to be restored to their
original location on the endpoint.

Security events search criteria Security Events—Endpoint, user Security Events—Limited options
name, and process. to filter security events.

Log forwarding SIEM, Syslog, Panorama, Email Log forwarding to a Syslog


receiver is available with the Log
Forwarding app

Policy Management

Exception creation and policy You can create almost any policy Palo Alto Networks can also
configuration rule that Palo Alto Networks create granular policy changes,
Research teams (often at the using either support exceptions
instruction of Support) can or content updates. You can
create. also an edit profiles, create
exceptions from security events,
You can also whitelist very
and disable specific capabilities,
specific flows including
such as for a specific module or
whitelisting specific DLLs for
process.
EPMs, and allowing specific child
processes.

Exceptions for Active Directory Assign rules to any AD object. Exceptions cannot be assigned
(AD) objects to AD objects (or virtual groups).

Change mode per process Report or block an event based Report or block an event based
on the process. on the category and not the
process.

View protected processes Visibility from the ESM Console Visibility from product
(Policies > Exploit > Process documentation (Processes
Management). Protected by the Default Policy).

View policy from the Traps The Traps console displays —


console the applied policy rules and
exceptions that apply on the
agent.

Conditions Settings > Conditions— Endpoint Groups—Create


Conditions based on file dynamic groups based on the
properties and registry values. following conditions: host
name, domain, workgroup, IP
addressing, and VDI. Does not
support conditions based on OS,
agent versions, etc.

Agent and ESM settings Granular control over settings Fixed settings but reduced
such as the Heartbeat Interval heartbeat interval (5 minutes)
(the frequency at which the and reporting interval (1 hour).
Traps agent attempts to check

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 15
© 2018 Palo Alto Networks, Inc.
Feature Endpoint Security Manager Traps management service
in), the Reporting Interval
(the frequency at which the
Traps agent sends report
notifications, including changes
in service, crash events, and new
processes), and the Heartbeat
Grace Period (the allowable time
period for a Traps agent that has
not responded, after which the
status changes to disconnected).

Content updates Choice of manual or automated Automated content updates


content update installation. delivered directly to your Traps
management service tenant by
Palo Alto Networks.

Endpoint and Tenant Management

Role-based access control Granular access control for One role for access to all Traps
different areas and flows in the management service features.
ESM Console.

Agent revocation Automatic and manual license Automatic license revocation


revocation. only.

Custom notification message Customizable notification —


messages.

16 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
Assign Roles to Manage Cloud Services
To assign roles to or create other users in the Customer Support Portal, you must be assigned a Super User
role.
To activate cloud services such as the Traps management service from the Cloud Services Portal, you must
have an account in the Customer Support Portal and a valid Auth code. However, to access the service,
either directly using the Traps management service URL, or from the Cloud Services Portal, you must be
assigned the corresponding service role from the Customer Support Portal. When you log in to the Cloud
Services Portal, you see tiles for all services associated with your user account. Note that after activating
a service, the tile can briefly appear on your Cloud Services Portal but is subsequently removed unless you
have the associated service role.
The list of roles are:

Role Description

Super User Required to assign roles and create users in the Customer Support Portal.

Traps Provides access to the Traps management service where you can manage and
protect your endpoints from malware and software exploits.

Directory Sync Directory Sync is an optional service that reads Active Directory information on a
Service customer's network, and sends it to the Palo Alto Networks cloud so that apps can
access it for reporting and analytics purposes. You must have this role to set up the
Directory Sync Service.

Logging Service Logging Service enables the storage and query of logging data. Logging data can
be either network logs as written by firewalls, or logs written by apps and services
such as the Traps management service. Assign this role if the administrator must
configure the Logging Service, manage logging quotas for the Traps management
service, or configure log forwarding using the Log Forwarding app.

To assign roles from the Customer Support Portal:

STEP 1 | Log in to the Customer Support Portal (https://support.paloaltonetworks.com/) and select


Members > Manage Users.

STEP 2 | Locate or search for the user(s) for which you want to enable access to the Traps management
service and other services. Or, if the user does not already exist, Add Member.

STEP 3 | Click the edit icon in the Actions column for the user.

STEP 4 | Click in to the Roles cell and select the desired roles, one at a time depending on the role of the
user.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 17
© 2018 Palo Alto Networks, Inc.
STEP 5 | Click the check mark in the Actions column when finished.

STEP 6 | Next steps...


• (Optional) Set Up Directory Sync Service.
• If you have not already done so, Activate the Traps Management Service.

18 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
Set Up Directory Sync Service
The Directory Sync Service is an optional service that enables you to leverage your user directory when you
configure policies in the Traps management service. To set up Directory Sync Service, you must perform
the following tasks and then specify your Directory Sync Service instance when you Activate the Traps
Management Service.
The Directory Sync Service supports the US Region and EU Region.

If you disassociate a Directory Sync Service instance with a Traps management service
tenant, Palo Alto Networks recommends that you remove all Active Directory (AD) objects
from any active rules. Traps cannot continue to apply policy rules to Active Directory objects
without the relationship with the Directory Sync Service. If you later re-associate the Traps
management service tenant with the same Directory Sync Service and did not remove the
original AD objects from your policy rules, only the rules for AD Computers and Users will
reapply. For a policy rule to apply to other types of AD objects, you must re-add them to any
policy rules.

The following high-level workflow provides a brief overview on the steps you need to follow to set up the
Directory Sync Service. For detailed workflows on how to set up, manage, and troubleshoot Directory Sync
Service, refer to the Directory Sync Service Getting Started Guide.

STEP 1 | Review the Directory Sync Service System Requirements and Prerequisites.

STEP 2 | Create Directory Sync Service Instances.

STEP 3 | Generate Certificates to Authenticate the Directory Sync Service and the Agent.

STEP 4 | Install the Directory Sync Service Agent.

STEP 5 | Configure the Directory Sync Service Agent.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 19
© 2018 Palo Alto Networks, Inc.
Activate the Traps Management Service
After you purchase Traps licenses, you will receive an email with an Auth code that you can use to activate
your Traps management service tenant. The Directory Sync Service and Logging Service are also available
to you.

While Directory Sync Service does not require you to register the service separately, you must perform
additional configuration to begin using the service.
By default, the Traps management service includes 100GB of log storage when you activate the Traps
management service. With the Traps Included Storage option, you do not need to activate the Logging
Service separately. However, if you plan to use the same Logging Service instance for both firewall logs and
Traps management service logs, you must first activate the Logging Service from the Customer Support
Portal instead of activating the Logging Service from the Cloud Services Portal and then associate it with
the Traps management service during activation. This sequence allows you to associate the Auth code with
Panorama and later associate the same Logging Service instance with the Traps management service.
Use the following workflow to activate and set up a Traps management service tenant:

STEP 1 | Before you begin:


Locate your Auth code either in the confirmation email you received after you purchased Traps
licenses or in the Customer Support Portal (Assets > Advanced Endpoint Protection).
Ensure that you and any additional users have the appropriate roles assigned in the Customer
Support Portal. To access services from the Cloud Services Portal, you must have the appropriate
service roles. To assign roles, see Assign Roles to Manage Cloud Services.

STEP 2 | Sign In to the Cloud Services Portal at https://apps.paloaltonetworks.com/.


Anyone with a Palo Alto Networks Customer Services account can log into the portal, but you can't
access an app or service from the portal until you have activated it.

20 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
STEP 3 | (Optional) Set Up Directory Sync Service.
The Directory Sync Service reads Active Directory (AD) information on your network and sends it to the
Palo Alto Networks cloud. This enables you to configure rules in your Traps management service tenant
that apply to AD objects such as users and groups. Before you can begin assigning policy to AD objects,
you must set up the service.

STEP 4 | Set up Logging Service if you intend to use the same Logging Service instance to store logs
from Palo Alto Networks firewalls. If you plan to use only the Traps Included Storage, skip to
the next step to activate the Traps management service.
You must activate the Logging Service from the Customer Support Portal and retrieve the license on
Panorama (see License and Install the Cloud Service Plugin), if you want to store Traps logs and firewall
logs to the same Logging Service instance.

STEP 5 | Activate the Traps management service.


Before you can log in to the Traps management service, you must activate the app.
1. Log in to the Cloud Services Portal and click Activate New App.
2. Enter the Auth Code you received to activate the Traps management service and click Continue.
The Cloud Services Portal prompts you for information to activate your Traps management service
tenant.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 21
© 2018 Palo Alto Networks, Inc.
3. Enter an Instance Name to identify your tenant in the Cloud Services Portal and provide an optional
Description.
4. Select the Region in which you want to host the Traps management service tenant: US East (N.
Virginia) or EU (Frankfurt).
The region you choose determines the location of the Logging Service and optionally the Directory
Sync Service as well as the privacy regulations applied to your Traps management service tenant.
The Traps agents can communicate with a Traps management service deployed in any region.
5. Enter the Subdomain that you want to use for your tenant of the Traps management service.
For example, if you enter mycompany as the subdomain, Palo Alto Networks will create your tenant
of the Traps management serviceas mycompany.traps.paloaltonetworks.com.
6. Choose a Logging Service instance to use to store logs.
The Cloud Services Portal displays the list of Logging Service instances available in your Region. If
you did not already purchase and activate Logging Service, the Traps management service includes
100GB of logging storage.
7. If you #unique_18, select your Directory Sync Service instance.
8. Review the terms of the End User License Agreement and Agree and Activate.
9. Click Done.

22 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
STEP 6 | Manage Logging Storage for Traps.
Before you can begin storing logs, you must set quota allocation preferences for the Traps management
service.

STEP 7 | Enable Access to the Traps Management Service.

STEP 8 | Verify the status of your Traps management service tenant.


1. From the Cloud Services Portal, click the gear icon next to your name.
2. In the Traps area, review the STATUS for the Traps management service tenant you just activated.

When the Traps management service tenant is available, the status changes to the green check mark.

STEP 9 | Access your Traps management service tenant for the first time.
There are two ways to access your Traps management service tenant: Return to the
Cloud Services Portal (https://apps.paloaltonetworks.com/) and select your tenant from
the Traps management service tile. Or, go directly to the web address for your tenant
(https://<subdomain>.traps.paloaltonetworks.com).

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 23
© 2018 Palo Alto Networks, Inc.
Manage Logging Storage for Traps
The Logging Service provides granular control over quota allocation for each type of log it receives. After
you activate the Traps management service, you must define how the service allocates log storage for
Traps. If your Logging Service instance receives logs from other apps or services, you will need to consider
how to allocate storage across all services and apps.

STEP 1 | Sign In to the Cloud Services Portal at https://apps.paloaltonetworks.com/.

STEP 2 | Select your Logging Service instance.


If you have multiple Logging Service instances, hover over the Logging Service tile and then select the
Logging Service instance from the list of available instances associated with your account.

STEP 3 | Select Configuration to define logging storage settings for Traps.


The Logging Service displays the total storage allocated for the apps and services associated with the
Logging Service instance. The Logging Service displays this information graphically and adjusts the
graphic based on the storage policy you define below. The Logging Service storage policy specifies the
distribution of your total storage allocated to each app or service and the minimum retention warning
(not supported with the Traps management service).

STEP 4 | Adjust the quota allocated for each type of Traps logs.

You cannot exceed 100% log storage allocation.

1. Select the total size you want to allocate to Traps logs.

24 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
If your total allocated quota is already at 100% for non-Traps apps and services, reduce the quota for
available log types to free up storage for the Traps management service.
Use the arrows to increment or decrement existing allocations or enter a new quota percentage.
2. Expand the Traps allocation and adjust the storage allocated for each type of Traps log.

The following table describes the different record types for Traps with the recommended storage
allocation for each record type.

Record Type Description Recommended


Allocation

Threat Includes information regarding all security events logged by Traps. 1%


This includes events such as malware and exploit preventions, post-
detection events, and restriction notifications.

Config Audit logs recorded by the Traps management service. This includes 1%
policy events—such as changes to the Traps security policy,
exception management, and profile management. Audit logs also
include other configuration changes such as device management,
distribution management, and system management.

System On-going monitoring of Traps management service system and 15%


agent events. Examples include changes or updates to license
management, agent registration, user authentication, agent
monitoring, agent upgrade, and agent protection status. System logs
are often required for day-to-day operations, as well as support and
troubleshooting activities.

Analytic Logs from the hourly hash execution report from every Traps agent. 83%
Provides visibility on tracking attempted malware executions in
your protected environment, hash exception policy changes, and
forensics. File analytics reports consume a considerable share of
Traps storage space.

To see the record type for a specific Traps log, see Log Types and Severity Levels.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 25
© 2018 Palo Alto Networks, Inc.
STEP 5 | Apply your changes.

26 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
Enable Access to the Traps Management
Service
After you receive your account details, enable and verify access to the Traps management service.

STEP 1 | If you enabled SSL Decryption on your Palo Alto Networks firewall, install the certificate used
for decryption as a trusted root CA certificate for the system.
Otherwise, you must add *.traps.paloaltonetworks.com to your SSL Decryption Exclusion list.
In PAN-OS 8.0 and later releases, you can configure the list in Device > Certificate Management > SSL
Decryption Exclusion.

STEP 2 | In your firewall configuration, enable access to Traps management service communication
servers.

With Palo Alto Networks firewalls, it is recommended to use the App-ID traps-
management-service to allow communication between Traps agents and the Traps
management service. To use the App-ID traps-management-service, you must
install the Application and Threat content update version 793 or later.

If you do not use a Palo Alto Networks firewall:


• Enable access to the following addresses over port 443 where <tenant> is your chosen subdomain.
• contentprod.traps.paloaltonetworks.com—Used to host content updates.
• distributions.traps.paloaltonetworks.com—Used for provisioning Traps agents for
the first time to obtain the agent provisioning URL for the tenant.
• ch-<tenant>.traps.paloaltonetworks.com—Used for communication between the Traps
agent and the preferred Traps management service for the home region.
• cc-<tenant>.traps.paloaltonetworks.com—Used for communication between roaming
Traps agents and the Traps management service.
• <tenant>.traps.paloaltonetworks.com—Used to access your tenant of the Traps
management service.
• Enable access to the following URLs to allow Traps agents to access Palo Alto Networks S3 buckets
in AWS:
• EU region:
• https://s3.eu-central-1.amazonaws.com/proda2-agent-uploads-70—Used for
uploading files from the Traps agent to the Traps management service in the EU region.
• https://s3.eu-central-1.amazonaws.com/distributions-proda2-frankfurt—
Used for provisioning Traps agents for the first time to obtain the agent provisioning URL for
the tenant.
• https://s3.eu-central-1.amazonaws.com/scanning-results-proda2-
frankfurt—Used by the Traps management service to store the results of a scanning report
with the Traps agent.
• https://s3.eu-central-1.amazonaws.com/installers-origin-proda2-
frankfurt—Used by the Traps management service to host the installers used to upgrade
the Traps agents.
• US region:
• https://s3.amazonaws.com/proda-agent-uploads-10—Used by Traps agents to
upload files to the Traps management service in the US region.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 27
© 2018 Palo Alto Networks, Inc.
• https://s3.amazonaws.com/distributions-proda-n.virginia—Used for
provisioning Traps agents for the first time to obtain the agent provisioning URL for the tenant.
• https://s3.amazonaws.com/scanning-results-proda-n.virginia—Used by
Traps agents to upload files that require analysis as indicated in a scan of the endpoint.
• https://s3.amazonaws.com/installers-origin-proda-n.virginia—Used by the
Traps management service to host the installers used to upgrade the Traps agents.

STEP 3 | Verify that you can access your tenant of the Traps management service.
After you download and install the Traps software on your endpoints (see Create an Installation
Package) and Manage Endpoint Policy, verify that the Traps agents can receive changes to the policy.

28 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
© 2018 Palo Alto Networks, Inc.
Use the Traps Management Service Dashboard

The Dashboard widgets display general information about the Traps management service. Each chart is
described in the following table.

Dashboard Chart Descriptions

UNRESOLVED Surfaces statistics on unresolved security events by the severity level of


SECURITY EVENTS the event. By default, this chart displays data from the last 30 days. Use the
Events Time drop-down to change the data collection period.

PLATFORMS Displays the total number of registered agents and the distribution of agents
by platform.

LICENSE Displays information about your Traps management service license including
the license expiration date and the number of license seats that are currently
allocated. If you are close to running out of license seats or your license is
about to expire, consider renewing or purchasing additional licenses.

CONTENT Displays the distribution of agents by content version.


DISTRIBUTION
After a new content update is available, agents gradually receive the latest
policy as they check-in with the Traps management service. If an agent uses
an outdated policy for an extended period of time, consider manual steps to
ensure the agent can connect to the Traps management service.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management Service 29
© 2018 Palo Alto Networks, Inc.
30 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Get Started with the Traps Management
Service
Administer the Traps Management Service
> Manage Traps Installation Packages
> Define Endpoint Groups
> Manage Registered Endpoints
> About Traps Licenses

31
32 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
© 2018 Palo Alto Networks, Inc.
Manage Traps Installation Packages
To ensure that your endpoints remain secure, you must download the Traps software and install it on your
endpoints. From the Traps management service, you can manage multiple installation packages for different
Traps versions and operating systems.

On new tenants created in June 2018 or later, you must change the default uninstall
password to a new password which meets the Traps management service security
standards before you can create installation packages. To later change the uninstall
password, create an Agent Settings Profile to assign to a policy rule.

After you create an installation package, you can then install it directly on an endpoint or you can use a
software deployment tool of your choice to distribute the software to multiple endpoints. To install Traps,
you must use a valid installation package that exists on the Traps management service. If you delete an
installation package and later attempt to use it to install Traps, the agent will not be able to register to the
Traps management service.
• Create an Installation Package
• View Details About an Installation Package
• Remove an Installation Package

Create an Installation Package


To create a new installation package:

STEP 1 | From the Traps management service, select Agent Installations.


If your tenant was created after June 2018, you must define an uninstall password before you can create
an installation package.

STEP 2 | Create a new installation package.

STEP 3 | Enter a unique Name and a Description to identify the installation package.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service 33
© 2018 Palo Alto Networks, Inc.
The package Name can contain letters, numbers, or spaces and must be fewer than 64 characters.

STEP 4 | Select the Package Type.


• Standalone Installers—Use for fresh installations and to Upgrade Traps on a registered endpoint that
is connected to the Traps management service.
• (Windows, macOS, and Linux only) Upgrade from ESM—Use to upgrade Traps agents which connect
to the on-premise Traps Endpoint Security Manager. For more information on migrating to the
Traps management service, see Migrate from the Traps Endpoint Security Manager to the Traps
Management Service.

STEP 5 | Select the Platform for which you want to create the installation package.

STEP 6 | (Windows, macOS, and Linux only) Select the Agent Version for the package.

STEP 7 | Click Save.


The Traps management service prepares your installation package and makes it available on the Agent
Installations page. For Android endpoints, the Traps management service creates a tenant-specific
download link which you can distribute to Android endpoints.

You cannot upgrade from the Traps for Android Beta to this version. If you participated
in the Traps for Android Beta, you must uninstall the Beta version and install the new
version.

STEP 8 | Next steps:


• For Windows, macOS, and Linux endpoints, download and install Traps. For Android endpoints, Copy
Download Link and distribute it to your Android users. See the Traps Agent Administrator's Guide for
your agent version for instructions.
• View Details About an Installation Package
• Remove an Installation Package

View Details About an Installation Package


From the Traps management service, you can create installation packages for Windows, Mac, Linux, and
Android endpoints. To help you manage installation packages for different agent versions and operating
systems, the Traps management service displays the available packages on a single page and displays the
total number of installation packages including the number of outdated packages. For each installation
package, the Traps management service also provides a summary which includes the following details:
• Agent version. Outdated packages are highlighted in orange.
• Date and time the package was created
• Administrator who created the package

STEP 1 | From the Traps management service, select Agent Installations.

34 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
© 2018 Palo Alto Networks, Inc.
STEP 2 | Locate and view details about the installation package.

STEP 3 | Next steps:


• Install Traps. See the Traps Agent User Guide for your agent version for instructions.
• Remove an Installation Package

Remove an Installation Package


If an installation package is no longer required, you can remove it from the Agent Installations page.
Removing an installation package does not uninstall the Traps software from any endpoints. However, if
you install Traps from a package after you remove it from the Agent Installations page, the Traps agent will
not be able to register with the Traps management service.

STEP 1 | From the Traps management service, select Agent Installations.

STEP 2 | Hover over the installation package and select the delete icon.

STEP 3 | Confirm you want to delete the installation package.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service 35
© 2018 Palo Alto Networks, Inc.
The Traps management service removes the installation package so that you cannot download or use it
to install Traps on additional endpoints.

36 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
© 2018 Palo Alto Networks, Inc.
Define Endpoint Groups
To easily apply policy rules to specific endpoints, you can define an endpoint group. There are two methods
you can use to define an endpoint group: You can create a static group by defining a list of endpoints using
the endpoint’s hostname or alias, or you can allow the Traps management service to populate your endpoint
group dynamically using specific endpoint characteristics such as a partial hostname or alias; full or partial
domain or workgroup name; or IP address, range or subnet. After you define an endpoint group you can
then use it in your policy rules to narrow the scope of the rule to apply it to only the endpoints in the group.
The Endpoint Groups page displays all endpoint groups along with the number endpoints and policy rules
linked to the endpoint group.

STEP 1 | From the Traps management service, select Endpoint Groups.

STEP 2 | Create a new endpoint group or hover over an existing group and click

to edit it.

STEP 3 | Enter a Name and Description to identify the endpoint group. The name you assign to the
group will be visible when you create new policy rules.

STEP 4 | To determine the endpoint properties you want to use to create a group, select the
Membership Type:
• Static—Add endpoints by the endpoint hostname or alias. After a Traps agent checks in with the
Traps management service, you can add the endpoint to an endpoint group. To narrow the list of
endpoints you can begin typing its name or alias in the search field. The Traps management service
provides autocompletion as you type. In a multi-domain environment, you can also filter the list of
endpoints by Domain.

• Dynamic—Dynamically populate a list of endpoints that match one or more endpoint characteristics.
If you specify more than one characteristic, the endpoint must match all characteristics to be included
in the group.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service 37
© 2018 Palo Alto Networks, Inc.
• Enable Endpoint Name / Alias to match endpoints using a full or partial hostname. Use a ? to
match a single character or an * to match any string of characters. For example to match any
endpoint whose hostname begins with enghost, enter enghost*.
• Enable Domain / Workgroup to match endpoints which belong to a specific domain or
workgroup. Use a ? to match a single character or an * to match any string of characters.
• Enable IP to match endpoints with a specific IP Address, Range, or Subnet. The Traps
management service supports only IPv4 addresses.
• Enable VDI and specify whether to add or exclude all virtual desktop infrastructure (VDI)
endpoints from the endpoint group.

STEP 5 | Click Save.

STEP 6 | After you save your endpoint group, assign it in a policy rule.
A new endpoint which matches the characteristics of an endpoint group can take up to an hour to
receive applicable rules. The Traps management service can also take up to an hour to reflect changes in
dynamic group membership when the characteristics of an endpoint change.

38 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
© 2018 Palo Alto Networks, Inc.
Manage Registered Endpoints
After the Traps agent registers with the Traps management service, you can view information about the
endpoint and perform basic management functions.
• Filter the Endpoints
• View Details About an Endpoint
• View the Endpoint Security Policy
• Retrieve Logs from an Endpoint
• Upgrade Traps
• Uninstall Traps
• Delete an Endpoint

Filter the Endpoints


From the Traps management service, you can view all endpoints that have registered with the Traps
management service. To reduce the number of results displayed, use the endpoint filters at the top of the
page.

STEP 1 | From the Traps management service, click Endpoints.

STEP 2 | Filter the list of endpoints.

• By Status—Select the Status to filter the list of endpoints by their registration status. For status
definitions, see View Details About an Endpoint on page 39.
• By OS—Select the OS to filter by operating system versions.
• By Name—Enter a full or partial hostname for the endpoint. This field also supports wildcards: Use
a ? to match a single character or an * to match any string of characters. For example to match any
endpoint whose hostname begins with enghost, enter enghost*.

View Details About an Endpoint


After the Traps agent registers with the Traps management service, you can view details about the endpoint
such as the Traps version and status.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service 39
© 2018 Palo Alto Networks, Inc.
STEP 1 | From the Traps management service, click Endpoints.

STEP 2 | Select the row for the endpoint to view additional information.
The Traps management service displays the following information for the endpoint:
• Endpoint:
• ENDPOINT NAME—Hostname of the endpoint. To assign an alias to represent the endpoint in
the Traps management service and in search, click the edit icon next to the hostname, enter the
alias, and then click the save icon.

• OS NAME—Name of the operating system and architecture version.


• STATUS—Registration status of the endpoint:
• Active—The Traps agent has checked in within 7 days. On Android endpoints, the Traps agent
has checked in within 3 days.
• Inactive—The Traps agent has not checked in within 7 days. On Android endpoints, the Traps
agent has not checked in within 3 days.
• Zombie—The Traps agent has not checked in within 90 days. On Android endpoints, the Traps
agent has not checked in within 7 days.
• Unauthorized—The Traps agent failed to authenticate or encountered an issue.
• Unlicensed—The license was revoked from the Traps agent.
• Agent Incompatible—The Traps agent is incompatible with the environment and cannot
recover.
• OS Incompatible—The Traps agent is incompatible with the operating system.
• MODEL—(Android only) Endpoint model.
• USER—User that was last logged into the endpoint. On Android endpoints, Traps obtains the user
from the email prefix specified during Traps activation.
• DOMAIN—Domain or workgroup to which the endpoint belongs, if applicable.
• OS VERSION—Operating system version number.
• MEMBER OF—Endpoint Groups for which the endpoint is a member, if applicable. See Define
Endpoint Groups.

To refresh the Endpoint details, click the refresh icon to the right of the Endpoint area.

• Communication & Network:


• LAST SEEN—Date and time of the last change in an agent's status. This can occur when the Traps
management service receives a periodic status report from the agent (once per hour), a user
performed a manual Check In, or a security event occurred. Changes to the agent status can take
up to ten minutes to display on the Traps management service.
• IP—Last known IPv4 or IPv6 address of the endpoint.
• Traps:
• TRAPS VERSION—Version number of the Traps agent installed on the endpoint.
• CONTENT VERSION—Content update version used with the Traps agent.

View the Endpoint Security Policy


The endpoint policy that is active on a specific endpoint can depend on any of the following factors:
• Endpoint operating system

40 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
© 2018 Palo Alto Networks, Inc.
• Endpoint group membership
• Active directory membership
• Last heartbeat communication
To view the active policy for an endpoint:

STEP 1 | From the Traps management service, click Endpoints.


If necessary, Filter the Endpoints to reduce the number of results.

STEP 2 | Select the row for the endpoint to view additional information.

STEP 3 | Click Policy.


The Traps management service displays the policy assigned to the endpoint.

Retrieve Logs from an Endpoint


From the details view of an endpoint, you can initiate a request to retrieve all logs from an endpoint. You
can then download and send the logs to Technical Support. Each time you generate a new file, the Traps
management service logs the event. You can also retrieve logs associated with a specific security event (see
Assess Security Events).

STEP 1 | From the Traps management service, click Endpoints.

STEP 2 | Select the row for the endpoint to view additional information.

STEP 3 | Select Retrieve Tech Support File to prompt the Traps agent to package all available logs and
send them to the Traps management service.

STEP 4 | When the Tech Support File is ready, you can download it from the Tech Support File area in
the endpoint details view. This view displays only the last file retrieved from the endpoint. To
see the status and history of all files received from the endpoint, select Logs > Data Retrieval.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service 41
© 2018 Palo Alto Networks, Inc.
Upgrade Traps
After you install Traps and the agent registers with the Traps management service, you can upgrade the
Traps software using a method supported by the endpoint platform:
• Android—Upgrade the app directly from the Google Play Store.
• Windows, Mac, or Linux—Create new installation packages and push the Traps package to your
endpoints from the Traps management service.
The following workflow describes how to upgrade Traps for Windows, Mac, and Linux endpoints:

STEP 1 | Select Agent Installations and identify the name of the installation package (or packages if you
plan to upgrade the agent on different operating systems) that you want to use to upgrade
your Traps agents.
If needed, Create an Installation Package for a version that is newer than the version installed on
your endpoints. If you select an installation package which is the same version or earlier, the Traps
management service ignores the upgrade request.

STEP 2 | Select Endpoints.

STEP 3 | If needed, filter the list of endpoints.

To reduce the number of results, use the endpoint name search and filters at the top of
the table. Filter the list of endpoints by Status, Operating System (OS), endpoint name, or
endpoint Group name.

STEP 4 | Select the endpoints you want to upgrade.


You can select some or all matching endpoints for which you want to upgrade. The selection can also
upgrade different operating systems at the same time.

STEP 5 | Select to upgrade the selected endpoints.

STEP 6 | For each platform, select the name of the installation package you want to push to the selected
endpoints.

42 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
© 2018 Palo Alto Networks, Inc.
STEP 7 | Click Upgrade.
The Traps management service distributes the installation package to the selected endpoints at the next
heartbeat communication with the agent.

Uninstall Traps
At any time you can uninstall Traps from one or more Windows, Mac, or Linux endpoints from the Traps
management service. To uninstall the Traps app for Android, you must do so from the Android endpoint.
The following workflow describes how to uninstall Traps from one or more Windows, Mac, or Linux
endpoints.

STEP 1 | From the Traps management service, click Endpoints.

STEP 2 | Select the endpoints on which you want to uninstall the Traps agent.

To reduce the number of results, use the endpoint name search and filters at the top of
the table. Filter the list of endpoints by Status, Operating System (OS), endpoint name, or
endpoint Group name.

STEP 3 | Select to uninstall the selected endpoints.

Delete an Endpoint
When an agent has been removed from the network without being properly uninstalled, the license remains
associated with the agent until the 90 day clean-up policy is enforced. After that period of time, the Traps
management service returns the license to the available license pools (see License Allocation).

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service 43
© 2018 Palo Alto Networks, Inc.
If you need to decommission the Traps agent from one or more endpoints before the 90 clean-up policy
takes effect, you can do so from the Traps management service. When you decommission the Traps agent,
the Traps management service deletes the endpoint from the list of registered endpoints and returns the
license to the available license pool.
Because VDI endpoints have a VDI-specific license cleanup policy, this action is not supported for VDI
endpoints.

STEP 1 | Select Endpoints.

STEP 2 | Select the endpoints you whose Traps license you want to revoke.

To reduce the number of results, use the endpoint name search and filters at the top of
the table. Filter the Endpoints on page 39 by Status, Operating System (OS), endpoint
name, or endpoint Group name.

An action menu appears at the top of the table.

STEP 3 | Select the more actions icon ( ).

STEP 4 | Select Delete Endpoints.

STEP 5 | Confirm the action to Delete one or more endpoints and return the associated licenses to the
pool, or Cancel.

44 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
© 2018 Palo Alto Networks, Inc.
About Traps Licenses
Before you can start using the Traps management service to protect your endpoints, you must activate the
Traps management service and any additional services you purchased. Each Traps management service
license enables protection for a maximum number of endpoints and defines the length of time for which
protection is enabled.
• License Allocation
• License Expiration
• License Monitoring

License Allocation
The Traps management service manages licensing for all endpoints in your organization. Each time you
install a new Traps agent on an endpoint, the Traps agent registers with the Traps management service to
obtain a license. In the case of non-persistent VDI, the Traps agent registers with the Traps management
service as soon as the user logs in to the endpoint.
The Traps management service issues licenses until you exhaust the number of license seats available. The
Traps management service also enforces a license cleanup policy to automatically return unused licenses to
the pool of available licenses. A license returns to the license pool when any of the following events occur:
• The Traps agent is uninstalled.
• The Traps agent is disconnected from the Traps management service for more than 90 days.
• (Non-persistent VDI) The user logs off of or ends the VDI session.
• You manually Delete an Endpoint.
If after a license is revoked (either manually or automatically) the agent connects to the Traps management
service, the agent is treated as a new agent and receives a new license from the pool, if available.

It can take up to an hour for the Traps management service to display revived endpoints.

If you exceed the number of available licenses available, the Traps agents that cannot obtain a license will
remain unlicensed and unprotected until you either free up license seats or purchase additional licenses.

If you later free up additional seats, the Traps agent can take up to an hour to obtain a valid
license.

License Expiration
After your Traps management service license expires, the Traps management service allows access to your
tenant for an additional grace period of 14 days. After the 14 day grace period, the Traps management
service disables access until you renew the license.
During the expiration period, the Traps management service will retain data in the Logging Service
according to your Logging Service data retention policy and licensing.
On Windows endpoints, the Traps console displays a disabled status when the agent is unlicensed.

License Monitoring
As new Traps agents register with the Traps management service, the dashboard updates the LICENSE area
to reflect the current license usage. The Traps management service also logs events when the number of

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service 45
© 2018 Palo Alto Networks, Inc.
licenses near the maximum capacity available and when the license nears the expiration date. Monitoring
license events can help you decide when to purchase additional licenses to ensure uninterrupted protection
of your endpoints.

46 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Administer the Traps Management Service
Manage Endpoint Policy
> Endpoint Policy Concepts
> Traps Security Profiles
> Configure a Policy Rule

47
48 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy
© 2018 Palo Alto Networks, Inc.
Endpoint Policy Concepts
• Protection Capabilities
• Protection Modules
• Processes Protected by the Default Policy
• Customizable Traps Settings

Protection Capabilities
Each security profile provides a tailored list of protection capabilities that you can configure for the platform
you select. The following table describes the protection capabilities you can customize in a security profile.
The table also indicates which platforms support the protection capability (a — indicates the capability is not
supported).

Protection Capability Windows Mac Linux Android

Exploit Security Profiles

Browser Exploits Protection — —


Browsers can be subject to
exploitation attempts from
malicious web pages and exploit
kits that are embedded in
compromised websites. By
enabling this capability, Traps
automatically protects browsers
from common exploitation
attempts.

Logical Exploits Protection — —


Attackers can use existing
mechanisms in the operating
system—such as DLL-loading
processes or built in system
processes—to execute
malicious code. By enabling this
capability, Traps automatically
protects endpoints from attacks
that try to leverage common
operating system mechanisms
for malicious purposes.

Known Vulnerable Processes —


Protection
Common applications in the
operating system, such as PDF
readers, Office applications,
and even processes that are a
part of the operating system
itself can contains bugs and

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 49


© 2018 Palo Alto Networks, Inc.
Protection Capability Windows Mac Linux Android
vulnerabilities that an attacker
can exploit. By enabling this
capability, Traps protects these
processes from attacks which
try to exploit known process
vulnerabilities.

Exploit Protection for —


Additional Processes
To extend protection to third-
party processes that are not
protected by the default policy
from exploitation attempts, you
can add additional processes to
this capability.

Operating System Exploits —


Protection
Attackers commonly leverage
the operating system itself to
accomplish a malicious action.
By enabling this capability,
Traps protects operating system
mechanisms such as privilege
escalation and prevents them
from being used for malicious
purposes.

Malware Security Profiles

Ransomware Protection — — —
Targets encryption based
activity associated with
ransomware to analyze and halt
ransomware before any data
loss occurs.

Prevent Malicious Child — — —


Process Execution
Prevents script-based attacks
used to deliver malware by
blocking known targeted
processes from launching child
processes commonly used
to bypass traditional security
approaches.

Portable Executables and DLLs — — —


Examination

50 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
Protection Capability Windows Mac Linux Android
Analyze and prevent malicious
executable and DLL files from
running.

Office Files Examination — — —


Analyze and prevent malicious
macros embedded in Microsoft
Office files from running.

Mach-O Files Examination — — —


Analyze and prevent malicious
mach-o files from running.

APK Files Examination — — —


Analyze and prevent malicious
APK files from running.

Restrictions Security Profiles

Execution Paths — — —
Many attack scenarios are
based on writing malicious
executable files to certain
folders such as the local
temp or download folder
and then running them. Use
this capability to restrict the
locations from which executable
files can run.

Network Locations — — —
To prevent attack scenarios that
are based on writing malicious
files to remote folders, you can
restrict access to all network
locations except for those that
you explicitly trust.

Removable Media — — —
To prevent malicious code from
gaining access to endpoints
using external media such as
a removable drive, you can
restrict the executable files,
that users can launch from
external drives attached to the
endpoints in your network.

Optical Drive — — —

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 51


© 2018 Palo Alto Networks, Inc.
Protection Capability Windows Mac Linux Android
To prevent malicious code from
gaining access to endpoints
using optical disc drives (CD,
DVD, and blu-ray), you can
restrict the executable files, that
users can launch from optical
disc drives connected to the
endpoints in your network.

Protection Modules
Each security profile applies multiple security modules to protect your endpoints from a wide range of
attack techniques. While the settings for each module are not configurable, Traps activates a specific
protection module depending on the type of attack, the configuration of your security policy, and the
operating system of the endpoint. When a security event occurs, Traps logs details about the event
including the security module employed by Traps to detect and prevent the attack based on the technique.
To help you understand the nature of the attack, the Traps management service identifies the protection
module Traps employed in the Security Event Details.
The following table lists the modules and the platforms on which they are supported.

Module Windows Mac Linux Android

Anti-Ransomware — — —
Targets encryption-based activity associated with
ransomware with the ability to analyze and halt ransomware
activity before any data loss occurs.

APC Protection — — —
Prevents attacks which change the execution order of a
process by redirecting an asynchronous procedure call (APC)
to point to the attacker’s malicious shellcode.

Brute Force Protection — — —


Prevents attackers from hijacking the process control flow by
monitoring memory layout enumeration attempts.

Child Process Protection — — —


Prevents script-based attacks used to deliver malware
such as ransomware by blocking known targeted processes
from launching child processes commonly used to bypass
traditional security approaches.

CPL Protection — — —
Protects against vulnerabilities related to the display routine
for Windows Control Panel shortcut images, which can be
used as a malware infection vector.

52 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
Module Windows Mac Linux Android

DEP — — —
Data execution prevention (DEP). Prevents areas of memory
designated as containing data from running as executable
code.

DLL Hijacking — — —
Prevents DLL-hijacking attacks where the attacker attempts
to load DLLs from non-secure locations that are not secure to
gain control of a process.

DLL Security — — —
Prevents access to crucial DLL metadata from untrusted code
locations.

Dylib Hijacking — — —
Prevents Dylib-hijacking attacks where the attacker attempts
to load dynamic libraries from non-secure locations to gain
control of a process.

Exploit Kit Fingerprint — — —


Protects against the fingerprinting technique used by browser
exploit kits to identify information—such as the OS or
applications which run on an endpoint—which attackers can
use to leverage an attack or evade protection capabilities.

Font Protection — — —
Prevents improper font handling, a common target of
exploits.

Gatekeeper Enhancement — — —
Enhancement of the macOS gatekeeper functionality
which allows apps to run based on their digital signature.
This module provides an additional layer of protection by
extending gatekeeper functionality to child processes to
enforce the signature level of your choice.

Hash Exception — —
Halts execution of files which an administrator has
determined to be malware regardless of the WildFire verdict.

Hot Patch Protection — — —


Prevents the use of system functions to bypass DEP and
address space layout randomization (ASLR).

JIT — —

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 53


© 2018 Palo Alto Networks, Inc.
Module Windows Mac Linux Android
Prevents an attacker from bypassing the operating system's
memory mitigations using just-in-time (JIT) compilation
engines.

Local Analysis — —
Examines hundreds of characteristics of an unknown
executable file, DLL, or macro to determine if it is likely to be
malware. The local analysis module uses a statistical model
that was developed using machine learning on WildFire
threat intelligence.

Local Privilege Escalation Protection —


Prevents attackers from performing malicious activities that
require privileges that are higher than those assigned to the
attacked or malicious process.

Null Dereference — — —
Prevents malicious code from mapping to address zero in
the memory space, making null dereference vulnerabilities
unexploitable.

Restricted Execution - Local Path — — —


Prevents unauthorized execution from a local path.

Restricted Execution - Network Location — — —


Prevents unauthorized execution from a network path.

Restricted Execution - Removable Media — — —


Prevents unauthorized execution from removable media.

Reverse Shell Protection — — —


Blocks malicious activity where an attacker redirects standard
input and output streams to network sockets.

ROP —
Protects against the use of return oriented programming
(ROP) by protecting APIs used in ROP chains.

SEH — — —
Prevents hijacking of the Structured Exception Handler (SEH),
a commonly exploited control structure called Linked List,
which contains a sequence of function records.

Shellcode Protection — — —
Reserves and protects certain areas of memory commonly
used to house payloads using heap spray techniques.

54 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
Module Windows Mac Linux Android

ShellLink — — —
Prevents shell-link logical vulnerabilities.

SysExit — — —
Protects against the use of return oriented programming
(ROP) by protecting APIs used in ROP chains.

UASLR — — —
Improves or altogether implements ASLR (module location
randomization) with greater entropy, robustness, and strict
enforcement.

WildFire —
Leverages WildFire for threat intelligence to determine
whether a file is malware. In the case of unknown files, the
Traps management service can forward samples to WildFire
for in-depth analysis.

WildFire Post Detection (Malware and Grayware) —


Identifies a file that was previously allowed to run on an
endpoint that is now determined to be malware. Post-
detection events provide notifications for each endpoint on
which the file executed.

Processes Protected by the Default Policy


Table 1: Processes Protected by the Default Policy for Linux

Linux

anacron httpd php smartd


bluetoothd ibserver pmmasterd smbd
charon identd pop2d snmpd
chronyd lighttpd pop3d squid
couriertcpd mailman postgres squid3
cron master proftpd starter
crond mongod qmgr syslog-ng
cupsd mysqld rpcbind tinyproxy
cyrus_pop3d mysqld_safe rsync vsftpd
danted named rsyslogd winbindd
dhcpd ndsd ruby xinetd

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 55


© 2018 Palo Alto Networks, Inc.
Linux
dovecot nginx samba
exim nmbd saned
ftpd nscd sendmail

Table 2: Processes Protected by the Default Policy for macOS

macOS

adobereader document writer photos


airmail firefox photoshop
app drive for google drive firefox-bin plugin-container
app drop for dropbox google chrome quickbooks
app for dropbox google chrome helper quicktime player
app for facebook itunes safari
app for google drive itunes helper seamonkey
app for googledocs jump desktop signal
app for instagram mail mail+ for yahoo slack
app for linkedin messages sonicwall mobile connect
app for youtube microsoft excel telegram
bbedit microsoft outlook textmate
c-lion microsoft powerpoint textwrangler
cisco anyconnect secure mobility microsoft remote desktop thunderbird
client
microsoft word vlc
com.apple.cloudphotosconfiguration
miniwriterfree vmware fusion
com.apple.safariservices
parallels client vmware fusion services vpn
com.apple.webkit.plugin shield
pdf reader pro free
com.apple.webkit.plugin.64 winmail.dat file viewer
pdf reader x
com.apple.webkit.webcontent

Table 3: Processes Protected by the Default Policy for Windows

Windows

7z.exe dism.exe
7zfm.exe dllhost.exe
7zg.exe eqnedt32.exe
acrobat.exe excel.exe
acrord32.exe firefox.exe
acrord32info.exe flashfxp.exe

56 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
Windows
allplayer.exe flashplayerplugin_10_2_152_26.exe
applemobiledeviceservice.exe flashplayerplugin_10_2_152_32.exe
apwebgrb.exe flashplayerplugin_10_2_153_1.exe
armsvc.exe flashplayerplugin_10_2_159_1.exe
blazehdtv.exe flashplayerplugin_10_3_181_14.exe
browser_broker.exe flashplayerplugin_10_3_181_16.exe
bsplayer.exe flashplayerplugin_10_3_181_22.exe
chrome.exe flashplayerplugin_10_3_181_26.exe
cliconfg.exe flashplayerplugin_10_3_181_34.exe
cmd.exe flashplayerplugin_10_3_183_10.exe
ctfmon.exe flashplayerplugin_10_3_183_11.exe

flashplayerplugin_10_3_183_15.exe flashplayerplugin_11_0_1_152.exe
flashplayerplugin_10_3_183_16.exe flashplayerplugin_11_1_102_55.exe
flashplayerplugin_10_3_183_18.exe flashplayerplugin_11_1_102_62.exe
flashplayerplugin_10_3_183_20.exe flashplayerplugin_11_1_102_63.exe
flashplayerplugin_10_3_183_25.exe flashplayerplugin_11_2_202_228.exe
flashplayerplugin_10_3_183_29.exe flashplayerplugin_11_2_202_233.exe
flashplayerplugin_10_3_183_43.exe flashplayerplugin_11_2_202_235.exe
flashplayerplugin_10_3_183_48.exe flashplayerplugin_11_3_300_257.exe
flashplayerplugin_10_3_183_5.exe flashplayerplugin_11_3_300_262.exe
flashplayerplugin_10_3_183_50.exe flashplayerplugin_11_3_300_273.exe
flashplayerplugin_10_3_183_51.exe flashplayerplugin_11_4_402_278.exe
flashplayerplugin_10_3_183_63.exe flashplayerplugin_11_4_402_287.exe
flashplayerplugin_10_3_183_67.exe flashplayerplugin_11_5_502_110.exe
flashplayerplugin_10_3_183_68.exe flashplayerplugin_11_5_502_136.exe
flashplayerplugin_10_3_183_7.exe flashplayerplugin_11_5_502_146.exe
flashplayerplugin_10_3_183_75.exe flashplayerplugin_11_5_502_149.exe
flashplayerplugin_10_3_183_86.exe flashplayerplugin_11_6_602_168.exe

flashplayerplugin_11_6_602_171.exe flashplayerplugin_11_9_900_117.exe
flashplayerplugin_11_6_602_180.exe flashplayerplugin_11_9_900_152.exe
flashplayerplugin_11_7_700_169.exe flashplayerplugin_11_9_900_170.exe
flashplayerplugin_11_7_700_202.exe flashplayerplugin_12_0_0_38.exe
flashplayerplugin_11_7_700_232.exe flashplayerplugin_12_0_0_44.exe
flashplayerplugin_11_7_700_242.exe flashplayerplugin_12_0_0_70.exe
flashplayerplugin_11_7_700_252.exe flashplayerplugin_12_0_0_77.exe

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 57


© 2018 Palo Alto Networks, Inc.
Windows
flashplayerplugin_11_7_700_257.exe flashplayerplugin_13_0_0_182.exe
flashplayerplugin_11_7_700_260.exe flashplayerplugin_13_0_0_206.exe
flashplayerplugin_11_7_700_261.exe flashplayerplugin_13_0_0_214.exe
flashplayerplugin_11_7_700_269.exe flashplayerplugin_13_0_0_223.exe
flashplayerplugin_11_7_700_272.exe flashplayerplugin_13_0_0_231.exe
flashplayerplugin_11_7_700_275.exe flashplayerplugin_13_0_0_241.exe
flashplayerplugin_11_7_700_279.exe flashplayerplugin_13_0_0_244.exe
flashplayerplugin_11_8_800_168.exe flashplayerplugin_13_0_0_250.exe
flashplayerplugin_11_8_800_94.exe flashplayerplugin_13_0_0_252.exe

flashplayerplugin_13_0_0_258.exe flashplayerplugin_14_0_0_179.exe
flashplayerplugin_13_0_0_259.exe flashplayerplugin_15_0_0_152.exe
flashplayerplugin_13_0_0_260.exe flashplayerplugin_15_0_0_189.exe
flashplayerplugin_13_0_0_262.exe flashplayerplugin_15_0_0_223.exe
flashplayerplugin_13_0_0_264.exe flashplayerplugin_15_0_0_239.exe
flashplayerplugin_13_0_0_269.exe flashplayerplugin_15_0_0_246.exe
flashplayerplugin_13_0_0_277.exe flashplayerplugin_16_0_0_235.exe
flashplayerplugin_13_0_0_281.exe flashplayerplugin_16_0_0_257.exe
flashplayerplugin_13_0_0_289.exe flashplayerplugin_16_0_0_287.exe
flashplayerplugin_13_0_0_292.exe flashplayerplugin_16_0_0_296.exe
flashplayerplugin_13_0_0_296.exe flashplayerplugin_16_0_0_305.exe
flashplayerplugin_13_0_0_302.exe flashplayerplugin_17_0_0_134.exe
flashplayerplugin_13_0_0_309.exe flashplayerplugin_17_0_0_169.exe
flashplayerplugin_14_0_0_125.exe flashplayerplugin_17_0_0_188.exe
flashplayerplugin_14_0_0_145.exe flashplayerplugin_17_0_0_190.exe
flashplayerplugin_14_0_0_176.exe flashplayerplugin_17_0_0_191.exe

flashplayerplugin_18_0_0_160.exe flashplayerplugin_18_0_0_366.exe
flashplayerplugin_18_0_0_194.exe flashplayerplugin_19_0_0_185.exe
flashplayerplugin_18_0_0_203.exe flashplayerplugin_19_0_0_207.exe
flashplayerplugin_18_0_0_209.exe flashplayerplugin_19_0_0_226.exe
flashplayerplugin_18_0_0_232.exe flashplayerplugin_19_0_0_245.exe
flashplayerplugin_18_0_0_241.exe flashplayerplugin_20_0_0_228.exe
flashplayerplugin_18_0_0_252.exe flashplayerplugin_20_0_0_235.exe
flashplayerplugin_18_0_0_255.exe flashplayerplugin_20_0_0_286.exe
flashplayerplugin_18_0_0_261.exe flashplayerplugin_20_0_0_306.exe
flashplayerplugin_18_0_0_268.exe flashplayerplugin_21_0_0_182.exe

58 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
Windows
flashplayerplugin_18_0_0_324.exe flashplayerplugin_21_0_0_194.exe
flashplayerplugin_18_0_0_329.exe flashplayerplugin_21_0_0_197.exe
flashplayerplugin_18_0_0_333.exe flashplayerplugin_21_0_0_213.exe
flashplayerplugin_18_0_0_343.exe flashplayerplugin_21_0_0_242.exe
flashplayerplugin_18_0_0_352.exe flashplayerplugin_22_0_0_192.exe
flashplayerplugin_18_0_0_360.exe flashplayerplugin_22_0_0_209.exe

flashplayerplugin_23_0_0_162.exe flashplayerplugin_27_0_0_183.exe
flashplayerplugin_23_0_0_185.exe flashplayerplugin_27_0_0_187.exe
flashplayerplugin_23_0_0_205.exe flashplayerplugin_28_0_0_126.exe
flashplayerplugin_23_0_0_207.exe flashutil_activex.exe
flashplayerplugin_24_0_0_186.exe fltldr.exe
flashplayerplugin_24_0_0_194.exe fontdrvhost.exe
flashplayerplugin_24_0_0_221.exe foxit reader.exe
flashplayerplugin_25_0_0_127.exe foxitreader.exe
flashplayerplugin_25_0_0_148.exe groovemonitor.exe
flashplayerplugin_25_0_0_171.exe hxmail.exe
flashplayerplugin_26_0_0_120.exe i_view32.exe
flashplayerplugin_26_0_0_131.exe iexplore.exe
flashplayerplugin_26_0_0_137.exe infopath.exe
flashplayerplugin_27_0_0_130.exe ipodservice.exe
flashplayerplugin_27_0_0_159.exe itunes.exe
flashplayerplugin_27_0_0_170.exe ituneshelper.exe

journal.exe outlook.exe
jqs.exe plugin-container.exe
lsass.exe powerpnt.exe
microsoft.photos.exe pptview.exe
microsoftedge.exe qttask.exe
microsoftedgecp.exe quicktimeplayer.exe
migwiz.exe rar.exe
mmc.exe reader_sl.exe
msaccess.exe realconverter.exe
msmpeng.exe realplay.exe
mspub.exe realsched.exe
nginx.exe rundll32.exe
notepad++.exe runtimebroker.exe

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 59


© 2018 Palo Alto Networks, Inc.
Windows
nslookup.exe safari.exe
opera.exe skype.exe
opera_plugin_wrapper.exe skypeapp.exe

skypehost.exe vmware-authd.exe
slmail.exe vmware-hostd.exe
soffice.exe vmware-vmx.exe
spoolsv.exe vpreview.exe
svchost.exe vprintproxy.exe
sysprep.exe w3wp.exe
taskeng.exe webkit2webprocess.exe
taskhost.exe winrar.exe
telnet.exe winword.exe
unrar.exe wireshark.exe
vboxservice.exe wmiprvse.exe
vboxsvc.exe wmplayer.exe
vboxtray.exe wmpnetwk.exe
video.ui.exe wwahost.exe
visio.exe xpsrchvw.exe
vlc.exe

Customizable Traps Settings


Each Agent Settings Profile provides a tailored list of settings that you can configure for the platform you
select. The following table describes these customizable settings and indicates which platforms support the
setting (a — indicates the setting is not supported).

Traps Setting Windows Mac Linux Android

Agent Settings Profiles

Disk Space —
Customize the amount of disk space Traps uses to store logs
and information about events.

User Interface — —
Determine whether and how end users can access the Traps
console.

Agent Security — — —

60 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
Traps Setting Windows Mac Linux Android
Prevent users from tampering with Traps components by
restricting access.

Uninstall Password — — —
Change the default uninstall password to prevent
unauthorized users from uninstalling the Traps software.

Microsoft Security Center Configuration — — —


Configure your Microsoft Security Center preferences to
allow registration with the Microsoft Security Center, allow
registration with automated Windows patch installation, or
disable registration.

Upload Using Cellular Data — — —


Enable Android endpoints to send unknown APK files for
inspection as soon as a user connects to a cellular network.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 61


© 2018 Palo Alto Networks, Inc.
Traps Profiles
Traps management service provides default security profiles that you can use out of the box to begin
protecting your endpoints from threats immediately. While security rules enable you to block or allow files
to run on your endpoints, security profiles help you customize and reuse settings across different groups of
endpoints. When Traps detects behavior which matches a rule defined in your security policy, Traps applies
the security profile that is attached to the rule for further inspection.

Profile Name Description

Exploit Profiles Exploit profiles block attempts to exploit system flaws in browsers, and in the
operating system. For example, Exploit profiles help protect against exploit
kits, illegal code execution, and other attempts to exploit process and system
vulnerabilities. Exploit profiles are supported for Windows, Mac, and Linux
platforms.
To customize an Exploit Profile, see Add a New Exploit Security Profile.

Malware Profiles Malware profiles protect against the execution of malware including trojans,
viruses, worms, and grayware. Malware profiles serve two main purposes: to
define how to treat behavior common with malware such as ransomware or
script-based attacks, and to define how to treat known malware and unknown
files. Malware profiles are supported for Windows, and Mac platforms.
To customize a Malware Profile, see Add a New Malware Security Profile.

Restrictions Profiles Restrictions profiles limit where executables can run on the endpoint. For
example, you can restrict files from running from specific local folders or from
removable media. Restriction profiles are supported for Windows platforms.
To customize a Malware Profile, see Add a New Restrictions Security Profile.

Agent Settings Profiles Agent Settings profiles enable you to customize settings that apply to the
Traps app such as the disk space quota for log retention. For Mac and
Windows platforms, you can also customize user interface options for the
Traps console such as accessibility and notifications.
To customize an Agent Settings profile, see Add a New Agent Settings Profile.

Add a New Exploit Security Profile


Exploit security profiles allow you to configure the action Traps takes when attempts to exploit software
vulnerabilities or flaws occur. To protect against specific exploit techniques, you can customize exploit
protection capabilities in each Exploit security profile.
By default, the Traps agent will receive the default profile that contains a pre-defined configuration for each
exploit capability supported by the platform. To fine-tune your Exploit security policy, you can override the
configuration of each capability to block the exploit behavior, allow the behavior but report it, or disable the
module.
To define an Exploit security profile:

STEP 1 | Add a new profile.

62 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
On new tenants created in June 2018 or later, you must change the default uninstall
password to a new password which meets the Traps management service security
standards before you can create a new profile.

1. From the Traps management service, select Profiles.


2. Select the operating system type to which the profile applies.
3. Click Create > Exploit Profile.

The Traps management service displays the security capabilities supported for the platform you
selected.

STEP 2 | Define the basic settings.


1. Enter a unique Name to identify the profile. The name can contain only letters, numbers, or spaces,
and must be fewer than 64 characters. The name you choose will be visible from the list of profiles
when you configure a policy rule.
2. To provide additional context for the purpose or business reason for the creation of the profile, enter
a profile Description. For example, you might include an incident identification number or a link to a
help desk ticket.

STEP 3 | Configure the action to take when Traps detects an attempt to exploit each type of software
flaw.
For details on the different exploit protection capabilities, see Protection Capabilities.
• Block—Block the exploit attack.
• Report—Allow the exploit activity but report it to the Traps management service.
• Disabled—Disable the module and do not analyze or report exploit attempts.
• Default—Use the default configuration to determine the action to take. The Traps management
service displays the current default configuration for each capability in parenthesis, for example
Default (Block).
To view which processes are protected by each capability, expand Protected Processes. To drill down or
locate a specific process, use the search, or tab through the results.
For Exploit Protection for Additional Processes, you also add one or more additional processes.

STEP 4 | Save the changes to your profile.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 63


© 2018 Palo Alto Networks, Inc.
STEP 5 | Assign the profile to a policy rule (see Configure a Policy Rule).

Add a New Malware Security Profile


Malware security profiles allow you to configure the action Traps takes when known malware and unknown
files try to run on Windows, Mac, Linux, and Android endpoints.
By default, the Traps agent will receive the default profile that contains a pre-defined configuration for
each malware protection capability supported by the platform. To fine-tune your Malware security policy,
you can override the configuration of each capability to block the malware or malicious behavior, allow but
report it, or disable the module.
To configure a Malware security profile:

STEP 1 | Add a new profile.

On new tenants created in June 2018 or later, you must change the default uninstall
password to a new password which meets the Traps management service security
standards before you can create a new profile.

1. From the Traps management service, select Profiles.


2. Select the operating system type to which the profile applies.
3. Click Create > Malware Profile.

The Traps management service displays the security capabilities supported for the platform you
selected. For details, see Protection Capabilities.

STEP 2 | Identify the profile.


1. Enter a unique Name to identify the profile. The name can contain letters, numbers, or spaces, and
must be fewer than 64 characters. The name you choose will be visible from the list of profiles when
you configure a policy rule.
2. To provide additional context for the purpose or business reason for the creation of the profile, enter
a profile Description. For example, you might include an incident identification number or a link to a
help desk ticket.

STEP 3 | (Windows only) Configure Ransomware Protection to define the Action mode to take when
Traps detects ransomware activity.

64 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
• Default—Use the default configuration to determine the action to take. The Traps management
service displays the default value for each capability in parenthesis, for example Default (Block).
• Block—Block the activity.
• Report—Allow the activity but report it to the Traps management service.
• Disabled—Disable the module and do not analyze or report the activity.

STEP 4 | (Windows only) Configure Traps to Prevent Malicious Child Process Execution.
1. Select the Action mode to take when Traps detects malicious child process execution:
• Default—Use the default configuration to determine the action to take. The Traps management
service displays the default value for each capability in parenthesis, for example Default (Block).
• Block—Block the activity.
• Report—Allow the activity but report it to the Traps management service.
• Disabled—Disable the module and do not analyze or report the activity.
2. To allow specific processes to launch child processes for legitimate purposes, whitelist the child
process with optional execution criteria.
Click +, and then specify the whitelist criteria including the Parent Process Name, Child Process
Name, and Command Line Params. Use a ? to match a single character or an * to match any string of
characters.

If you are adding child process evaluation criteria based on a specific security
event, note that the event indicates both the source process and the command line
parameters in one line. Copy only the command line parameter for use in the profile.

STEP 5 | (Linux only) Configure Reverse Shell Protection.


The Reverse Shell Protection module enables Traps to detect and optionally block attempts to redirect
standard input and output streams to network sockets.
1. Define the Action mode to take when Traps detections the malicious behavior.
• Default—Use the default configuration to determine the action to take. The Traps management
service displays the default value for each capability in parenthesis, for example Default (Block).
• Block—Block the activity.
• Report—Allow the activity but report it to the Traps management service.
• Disabled—Disable the module and do not analyze or report the activity.
2. (Optional) Whitelist processes that must redirect streams to network sockets.
1. Click the + to add a connection.
2. Enter the path of the process, and the local and remote IP address and ports.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 65


© 2018 Palo Alto Networks, Inc.
You can also use a wildcard to match a partial path name. Use a * to match any string of
characters (for example, */bash). You can also use a * to match any IP address or any port.

3. Press Enter or click the check mark when done.


4. Repeat to add additional folders.

STEP 6 | (Windows, Mac, and Android only) Configure Traps to examine executable files or DLL files on
Windows endpoints, Mach-O files on Mac endpoints, or APK files on Android endpoints.
1. Configure the Action mode, the behavior of Traps, when malware is detected:
• Default—Use the default configuration to determine the action to take. The Traps management
service displays the default value in parenthesis, for example Default (Block).
• Block—Block attempts to run malware.
• Report—Report but do not block malware that attempts to run.
• (Android only) Prompt—Enable Traps to prompt the user when malware is detected and allow the
user to choose to allow malware, dismiss the notification, or uninstall the app.
• Disabled—Disable the module and do not examine files for malware.
2. Configure additional actions to take to examine files for malware.
By default, Traps management service uses the settings specified in the default malware security
profile and displays the default configuration in parenthesis. When you select a setting other than the
default, you override the default configuration for the profile.
• (Mac only) Upload Mach-O files for cloud analysis—Enable Traps to send unknown Mach-O files
to the Traps management service, which sends the files to WildFire for analysis. WildFire accepts
files up to 100MB in size.
• (Android only) Upload APK files for cloud analysis—Enable Traps to send unknown APK files to
the Traps management service, which sends the files to WildFire for analysis. WildFire accepts
files up to 100MB in size.
• (Windows only) Quarantine malicious executables—By default, Traps blocks malware from
running but does not quarantine the file. Enable this option to quarantine files when either
WildFire or an administrative policy override identifies a file as malware. To quarantine files issued
a malware verdict by Traps local analysis, enable Traps to Quarantine local analysis. Otherwise, if
you disable this option (default) files with a malware verdict issued by local analysis will remain on
the endpoint in its original location.
The quarantine feature is not available for malware identified in network drives.
• Treat grayware as malware—Treat all grayware with the same Action mode you configure for
malware. Otherwise, if this option is disabled, grayware is considered benign and is not blocked.
• (Windows only) Upload PE files for cloud analysis—Enable Traps to send unknown PE and DLL
files to the Traps management service, which sends the files to WildFire for analysis. WildFire
accepts files up to 100MB in size.
• Local analysis—Enable Traps to use embedded machine learning to determine the likelihood that
an unknown file is malware and issue a local verdict for the file. When this option is disabled and

66 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
you also configure Traps to block unknown files, users will not be permitted to open unknown
files. As a result, the unknown file remains blocked until Traps receives an official WildFire verdict.
• Block files with unknown verdict—When the file is unknown in the local and server cache, block it
from running.
3. (Optional) Whitelist Folders from examination.
1. Click the + to add a folder.
2. Enter the path and press Enter or click the check mark when done. You can also use wildcards to
match folders containing a partial name. Use a ? to match a single character or an * to match any
string of characters. To match a folder you must terminate the path with a * which matches all
files in the folder (for example, c:\temp\*).
3. Repeat to add additional folders.
4. Whitelist Signers from examination.
1. Click the + to add a trusted signer.
2. Enter the name of the trusted signer (Windows) or the SHA1 hash of the certificate that signs the
file (Mac) and press Enter or click the check mark when done. You can also use wildcards to match
a partial name for the signer. Use a ? to match any single character or an * to match any string of
characters.
3. Repeat to add additional folders.

STEP 7 | (Windows only) Configure Traps to examine macros in Microsoft Office files.
1. Configure the Action mode, the behavior of Traps, when a malicious macros is detected:
• Default—Use the default configuration to determine the action to take. The Traps management
service displays the default value in parenthesis, for example Default (Block).
• Block—Block attempts to run malicious macros.
• Report—Report but do not block malicious macros that attempts to run.
• Disabled—Disable the module and do not examine macro for malware.
2. Configure additional actions to take to examine files for malware.
By default, Traps management service uses the settings specified in the default malware security
profile and displays the default configuration in parenthesis. When you select a setting other than the
default, you override the default configuration for the profile.
• Upload Office files for cloud analysis—Enable Traps to send Office files containing unknown
macros to the Traps management service, which sends the files to WildFire for analysis. The Traps
management service only uploads the Office file if it contains a macro. WildFire accepts files up to
100MB in size.
• Local analysis—Enable Traps to use embedded machine learning to determine the likelihood that
an unknown macro is malware and issue a local verdict for the file. When this option is disabled
and you also configure Traps to block unknown files, users will not be permitted to run unknown
macros. As a result, the unknown macros remains blocked until Traps receives an official WildFire
verdict.
• Block files with unknown verdict—When the file is unknown in the local and server cache, block it
from running.
3. Whitelist Folders from examination.
1. Click the + to add a folder.
2. Enter the path and press Enter or click the check mark when done. You can also use wildcards to
match a partial name for the folder. Use a ? to match any single character or an * to match any
string of characters. To match a folder you must terminate the path with a * which matches all
files in the folder (for example, c:\temp\*).
3. Repeat to add additional folders.

STEP 8 | (Windows only) Enable periodic scanning of malware.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 67


© 2018 Palo Alto Networks, Inc.
Periodic scanning enables Traps to scan for malicious executable files, DLLs, and macros on an endpoint
without waiting for an attempt to run the malicious file.

1. Configure the Action mode for Traps to periodically scan the endpoint for malware, Enabled to scan
at the configured intervals, Disabled if you do not want Traps to scan the endpoint, or Default to use
the default configuration to determine the action to take. The Traps management service displays the
default value in parenthesis, for example Default (Disabled).
2. To configure the Scan schedule, set the frequency (Weekly or Monthly) and day and time at which
the scan will run on the endpoint.
3. To include removable media drives in the scheduled scan, enable Traps to Scan removable media
drives.
By default, Traps management service uses the settings specified in the default malware security
profile and displays the default configuration in parenthesis. When you select a setting other than the
default, you override the default configuration for the profile.
4. Whitelist Folders from examination.
1. Click the + to add a folder.
2. Enter the folder path. Use a ? to match a single character or an * to match any string of characters
in the folder path (for example, C:\*\temp).
3. Press Enter or click the check mark when done.
4. Repeat to add additional folders.

STEP 9 | Save the changes to your profile.

STEP 10 | Assign the profile to a policy rule (see Configure a Policy Rule).

Add a New Restrictions Security Profile


Restrictions security profiles limit the surface of an attack on a Windows endpoint by defining where and
how your users can run files.
By default, the Traps agent will receive the default profile that contains a pre-defined configuration for
each restrictions capability. To customize the configuration for specific Traps agents, configure a new
Restrictions security profile and assign it to one or more policy rules.
To define a Restrictions security profile:

STEP 1 | Add a new profile.

68 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
On new tenants created in June 2018 or later, you must change the default uninstall
password to a new password which meets the Traps management service security
standards before you can create a new profile.

1. From the Traps management service, select Profiles.


2. Select Windows as the type of platform to which the profile applies.
The Restrictions security profile is not available for Linux, Mac, or Android endpoints.
3. Click Create > Restrictions.

STEP 2 | Define the basic settings.


1. Enter a unique Name to identify the profile. The name can contain only letters, numbers, or spaces,
and must be fewer than 64 characters. The name you choose will be visible from the list of profiles
when you configure a policy rule.
2. To provide additional context around the purpose or business reason for the creation of the profile,
enter a profile Description. For example, you might include an incident identification number or a link
to a help desk ticket.

STEP 3 | Configure each of the Restrictions Protection Capabilities.


1. Configure the action to take when a file attempts to run from a specified location.
• Block—Block the file execution.
• Notify—Allow the file to execute but notify the user that the file is attempting to run from a
suspicious location. The Traps agent also reports the event to the Traps management service.
• Report—Allow the file to execute but report it to the Traps management service.
• Disabled—Disable the module and do not analyze or report execution attempts from restricted
locations.
• Default—Use the default configuration to determine the action to take. The Traps management
service displays the default value for each capability in parenthesis, for example Default (Block).
2. Whitelist or blacklist files, as needed.
The type of protection capability determines whether the capability supports a whitelist, blacklist, or
both. With a whitelist, the action mode you configure applies to all the paths except for those that
you specify. With a blacklist, the action applies only to the paths that you specify.
1. Click the + to add a file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use wildcards
to match a partial name for the folder and environment variables. Use a ? to match any single
character or an * to match any string of characters. To match a folder you must terminate the
path with a * which matches all files in the folder (for example, c:\temp\*).

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 69


© 2018 Palo Alto Networks, Inc.
3. Repeat to add additional folders.

STEP 4 | Save the changes to your profile.

STEP 5 | Assign the profile to a policy rule (see Configure a Policy Rule).

Add a New Agent Settings Profile


Agent Settings Profiles enable you to customize Traps settings for different platforms and groups of users.

STEP 1 | Add a new profile.

On new tenants created in June 2018 or later, you must change the default uninstall
password to a new password which meets the Traps management service security
standards before you can create a new profile. If you later need to change the password,
you can do so by configuring or editing an Agent Settings Profile.

1. From the Traps management service, select Profiles.


2. Select the operating system type to which the profile applies.
3. Click Create > Agent Settings.
The Traps management service displays the settings that you can configure for the platform you
selected.

STEP 2 | Define the basic settings.


1. Enter a unique Name to identify the profile. The name can contain only letters, numbers, or spaces,
and must be fewer than 64 characters. The name you choose will be visible from the list of profiles
when you configure a policy rule.
2. To provide additional context for the purpose or business reason for the creation of the profile, enter
a profile Description. For example, you might include an incident identification number or a link to a
help desk ticket.

STEP 3 | (Windows, Mac, and Linux only) Configure the Disk Space to allot for Traps logs.

70 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
Specify a value in MB from 100 to 10,000 (default is 5,000).

STEP 4 | (Windows and Mac only) Configure User Interface options for the Traps console.
By default, Traps management service uses the settings specified in the default agent settings profile
and displays the default configuration in parenthesis. When you select a setting other than the default,
you override the default configuration for the profile.
• Hide tray icon—Enable this option to hide the Traps icon from the notification area (system tray).
• Disable access to the Traps console—Enable this option to prevent users from opening the Traps
console.
• Hide Traps user notifications—Enable this option to operate Traps in silent mode where the Traps
agent does not display any notifications in the notification area.

STEP 5 | (Android only) Configure network usage preferences.


When the option to Upload Using Cellular Data is enabled, Traps uses cellular data to send unknown
apps to the Traps management service for inspection. Standard data charges may apply. When this
option is disabled, Traps queues any unknown files and sends them when the endpoint connects to a
Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this
configuration.

STEP 6 | (Windows only) Configure Agent Security options that prevent unauthorized access or
tampering with Traps components.
Similar to the User Interface options, use the default agent settings or customize them for the profile.
1. Enable or disable Agent Anti-Tampering Protection.
2. When Agent Anti-Tampering Protection is enabled, configure granular protection options for Traps
services, processes, files, and registry values, if desired.

STEP 7 | (Windows only) Set a password the user must enter to uninstall the Traps agent.
The default uninstall password is Password1. To set a new password, the password must satisfy the
following requirements:
• Contain eight or more characters.
• Contain English letters, numbers, or any of the following symbols: !()-._`~@#"'.
To change the password:
1. Click the edit icon in the Uninstall Password area.
2. Enter and confirm the new uninstall password.

STEP 8 | (Windows only) Configure Windows Security Center Configuration.


The Windows Security Center is a reporting tool which monitors the system health and security state
of Windows endpoints on Windows 7 and later releases. By default, Traps registers to the Windows
Security Center as an official Antivirus (AV) software product and enables Windows to install updates for
Meltdown/Spectra vulnerability patches. If you do not want to allow Windows to automatically install
patches, change the setting to Enabled (No Patches), or to disable Traps registration to the Windows
Security Center completely, select Disabled. When registration is disabled, the Action Center indicates
Virus protection is Off.

STEP 9 | Save the changes to your profile.

STEP 10 | Assign the profile to a policy (see Configure a Policy Rule).

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 71


© 2018 Palo Alto Networks, Inc.
Configure a Policy Rule
The Traps management service provides out-of-the-box protection for all registered endpoints with a
default security policy for each type of platform. To fine-tune your security policy, you customize settings in
a security profile and attach that profile to a policy rule. Each policy rule that you create must apply to one
or more endpoints, endpoint groups, or Active Directory (AD) objects.

Traps discards any policy rules that do not match the endpoint platform. For example, if you
create a rule for Mac endpoints but select an endpoint group containing both Windows and
Mac endpoints, Traps applies the rule only to the Mac endpoints.

STEP 1 | From the Traps management service, select Policy Rules.

STEP 2 | Select the platform for which you want to create a new policy rule: Windows, macOS, Linux, or
Android.

STEP 3 | Create a new policy rule.

STEP 4 | Select one or more endpoints, endpoint groups, or AD objects to which the rule applies.
1. Select + Add host.

2. Use the search field and/or endpoint filters to narrow the results:
• Type—By default the Traps management service displays all Agent hostnames that match your
search term and selected platform type. You can also narrow the results by:
• Group—Select an endpoint group to which to apply the rule. To define or modify an endpoint
group, see Define Endpoint Groups. You can also use the search to display endpoint groups
that match your search term.
• AD object—AD Computer, AD OU (organizational unit), AD User, or AD Group. To assign
policy rules to AD objects, you must associate the Traps management service with a Directory
Sync Service instance. AD objects also require you to select a Domain and are available for
Windows endpoints only.

If you select Group or an AD object as the type, the Traps management service
displays all results that match the Type and your search term regardless of the
platform you selected.
• Domain—By default, the Traps management service displays results for all domains. To see results
for a specific domain, select one from the list. The Domain filter is not available if you also filtered
by endpoint Group.
You can also use wildcards to search for endpoints or groups that match a partial name. Use a ? to
match any single character or an * to match any string of characters. The Traps management service
filters the results to match your search term as you type.

72 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


© 2018 Palo Alto Networks, Inc.
3. To add multiple endpoints or endpoint groups, click + Add host again to return to the add endpoints
dialog.

STEP 5 | Select the profile to use for each type of policy.

When there are no customized profiles available, Traps management service automatically selects the
default policy.

STEP 6 |
To save the rule, click .

STEP 7 | Change the rule order, if needed, to position the rule relative to other rules.
Traps evaluates rules from top to bottom. When Traps finds the first match it applies that rule as the
active policy. Use one of the following methods to change the rule order:
• Hover over the rule, select the anchor on the left, and drag the rule to a new place in the rule
hierarchy.

• Select the edit icon next to the policy rule, and then select Move Up to precede the rule below it or
Move Down to follow the rule above.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy 73


© 2018 Palo Alto Networks, Inc.
STEP 8 | Next steps...
Assess Security Events triggered by security profile rules.

74 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Manage Endpoint Policy


Assess and Remediate Security Events
> What is a Security Event?
> Assess Security Events
> Create a Policy Exception
> Scan an Endpoint for Malware
> Investigate a File
> Review WildFire Analysis Details
> Manage Quarantined Files

75
76 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
What is a Security Event?
A security event occurs when the Traps agent identifies an attempt to run a malicious file or process. Traps
agents report security events when the file or process matches your applied policy rules (either default
policy rules or custom rules you define). When the event occurs, Traps applies the action specified in the
applied security profile, either block the malicious activity, or allow and report the malicious activity. Some
examples of events that can trigger a security event include attempts to:
• Run known malware
• Run unknown files
• Leverage bugs or flaws in software for a malicious purpose
The following topics provide more information to help you Assess Security Events:
• Security Event Severity Levels
• Security Event Details
• WildFire Analysis Details

Security Event Severity Levels


When a security event occurs, Traps logs the event and reports it to the Traps management service. The log
for each security event identifies the type of event and the specific module Traps applied to the process or
file. The Traps management service assigns each security event a severity level based on the nature of the
event. The following table the events in order of Severity (High to Low), then alphabetically by Protection
Modules.

Module Severity

Administrator File Exception High

Anti-Ransomware Protection High

APC Protection High

Hash Exception High

Kernel Privilege Escalation Protection High

WildFire Post Detection High


(Malware and Grayware)

Brute Force Protection Medium

Child Process Protection Medium

CPL Protection Medium

DEP Medium

DLL Hijacking Protection Medium

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 77
© 2018 Palo Alto Networks, Inc.
Module Severity

DLL Security Medium

Dylib Hijack Protection Medium

Exception SysExit Check Medium

Exploit Kit Fingerprinting Protection Medium

Font Protection Medium

Gatekeeper Enhancement Medium

Hot Patch Protection Medium

JIT Mitigation Medium

Local Analysis Medium

Null Dereference Protection Medium

Reverse Shell Protection Medium

ROP Mitigation Medium

SEH Protection Medium

Shellcode Protection Medium

ShellLink Protection Medium

UASLR Medium

WildFire Malware Medium

Execution from a Restricted Location - Local Path Low

Execution from a Restricted Location - Network Low


Location

Execution from a Restricted Location - Removable Low


Media

WildFire Grayware Low


(Treat as malware)

WildFire Unknown Low


(Treat as malware)

78 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
Security Event Details
When the Traps agent reports a security event, the Traps management service provides a detailed view
of the security event that you can use to assess the event and determine if it poses a security threat that
requires additional mitigation and remediation. The details for each security event vary depending on the
type of event: or a process with a software flaw, what rule or rules were violated, and what profile triggered
the event. These details can include some or all of the following information:

Field Description

Security Event

SEVERITY Severity associated with the type of event, High,


Medium, or Low.

EVENT Name of the event that occurred.

AGENT LOCAL TIME Local time on the endpoint when the event
occurred.

EVENT ID Unique event ID.

STATUS Administrator defined status for the security


event. When an event is first reported to the
Traps management service, the event has a
STATUS of New. When you begin to assess the
potential threat for a security event, you can set
the STATUS to Investigating. This allows you to
easily filter the Security Events dashboard for the
security events that you are currently assessing.
After you complete your investigation, you can
change the STATUS to Closed to indicate to other
administrators that no additional assessment is
required.

AGENT TIME Universal coordinated time (UTC) when the event


occurred on the endpoint, adjusted for your local
system time.

REPORT TIME Universal coordinated time (UTC) when the Traps


management service received the security event
log, adjusted for your local system time.

Data Retrieval
This displays only if you attempt to retrieve data from the endpoint.

STATUS Status of the data retrieval request: Pending


when the request for data is initiated from the
Traps management service, In Progress after the
Traps agent receives the request, and Failed if
the request fails or times out. When the upload is

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 79
© 2018 Palo Alto Networks, Inc.
Field Description
complete, the Traps management service displays
a link to Download Retrieved Data.

GENERATION DATE Date and time the data was requested.

Module

PROFILE TYPE Type of profile associated with the rule. For details
on profile types, see Traps Profiles.

SOURCE PROCESS Name of the source process or file that triggered


the event.

ACTION Action taken by Traps when the security event


occurred: Block the process, file, or activity; or
Report the event but do not block it.

MODULE Module that triggered the event. The supported


modules vary by the capabilities supported on
each platform. See Protection Modules.

VERDICT For WildFire- or local analysis-related events, this


field displays the verdict assigned to the file by the
WildFire or Local Analysis module.

Endpoint: <endpointName>
Additional information about the endpoint.

STATUS The status of the endpoint as reported on the


Endpoints page (Active, Inactive, Zombie,
Unauthorized, Unlicensed, Agent Incompatible, or
OS Incompatible).

LOGGED ON USER User that was logged into the endpoint when the
security event occurred.

OS VERSION Version of the operating system.

CONTENT VERSION Version of the content update installed with the


Traps agent.

ENDPOINT ID Unique identifier of the endpoint (assigned by the


Traps management service).

DOMAIN Domain or workgroup to which the endpoint


belongs.

OS NAME Operating system name and architecture.

AGENT VERSION Version of the Traps agent.

80 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
Field Description

IP IPv4 or IPv6 address of the endpoint.

Processes
Additional information about the affected process.

Process Name of the process, for example, notepad+


+.exe.

PID Unique identifier for the running process.

FILE NAME File name of the process, for example notepad+


+.exe.

FULL PATH Full path for the file, for example C:\Users
\User\Desktop\ROP\notepad++.exe

SIGNER Signer of the file, for example Microsoft


Corporation.

Files
Information about files accessed by the affected process.

FILE NAME Name of the file which triggered the event.

FULL PATH Full path to the file involved in the event.

SHA 256 SHA-256 hash of the file.

Users

USER NAME User account used to run the process.

USER DOMAIN Domain or workgroup to which the user belongs.

WildFire Analysis Details


When WildFire returns a verdict for a file, the Traps management service also receives the WildFire analysis
report. This report contains the detailed sample information and behavior analysis in different sandbox
environments. You can use the report to asses whether the file poses a real threat on an endpoint. The
details in the WildFire analysis report for each event vary depending on the behavior of the file.

WildFire Analysis Details Description

File: <fileName> (<hashValue>)

VERDICT Official WildFire verdict for the file: Unknown,


Malware, Grayware, Benign, or No Connection.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 81
© 2018 Palo Alto Networks, Inc.
WildFire Analysis Details Description

SHA1 Hash value of the file generated using the SHA1


algorithm.

SHA256 Hash value of the file generated using the SHA256


algorithm.

MD5 Hash value of the file generated using the MD5


algorithm.

FILE TYPE Type of file, for example Portable Executable or


DLL.

SIZE Size of the file.

Analysis Reports

Analysis The Analysis Reports section includes the WildFire


analysis reports for each testing environment.
Each WildFire analysis report displays information
about targeted processes and users, email
header information (if enabled), the application
that delivered the file, and all URLs involved
in the delivery or phone-home activity of the
file. WildFire reports contain some or all of the
information based on the observed behavior for
the file.

82 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
Assess Security Events
The Traps management service ranks all events in order of severity so you can quickly and easily see the
most important events when you log in to the Traps management service. You can then drill down into the
security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases
you may determine that a security event does not pose a real threat and can create an exception for it. Use
the following workflow to drill down into a security event and assess whether it poses a security threat.

STEP 1 | From the Traps management service, select Security Events.

STEP 2 | Filter the security events.


The Traps management service displays the filters you can use at the top of the Security Events page.
When you supply more than one filter, the Traps management service displays only security events that
match all the specified criteria.
Filters that accept text do not accept wildcards and are case insensitive.
• By time—Select the Timeframe for which you would like to filter security events: Last 24 hours, Last
7 days, Last 30 days, or Last 3 Months.
• By status—Select the Status for which you would like to filter security events. You can define or
change the status for each event when you view additional details about the event.
• By severity—The Traps management service indicates the total number of threats for each severity
(high, medium, and low) with quick links you can use to filter security events by severity. You can also
use the Severity drop-down at the top of the page to filter by one or more severities.
• By platform—Select the Platform to filter by operating system.
• By endpoint name or ID—Enter a full or partial Endpoint Name in the Search field.

If the name of the endpoint changes, the Traps management service automatically
updates the name associated with the security event to use the new name, but
preserves the original endpoint name in the details view of the event. To search for
events for a renamed endpoint, use the current endpoint name as match criteria.

To instead search for an endpoint by its unique endpoint ID, select Endpoint ID instead of Endpoint
Name and enter the full ID value. You can identify the endpoint ID—which is assigned by the Traps
management service—in the details view for an endpoint (for more information, see View Details
About an Endpoint on page 39).
• By username—Enter a full or partial Username to filter security events that occurred when a user
was logged into one or more endpoints. You can also include the user domain in the format domain
\username to filter security events for a user that belongs to a specific domain.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 83
© 2018 Palo Alto Networks, Inc.
• By process or file name—Enter a full or partial Process/File Name to filter security events for a
specific file.

STEP 3 | To drill down into additional Security Event Details, select the Event name.
This detailed view provides context around the event and provides information you can use to help you
assess whether the security event is a valid threat.

STEP 4 | While you are investigating a security event, consider changing the event STATUS to
Investigating (click the

icon and select Investigating from the drop-down).

After you set the status, you can easily filter the Security Events dashboard by the events you are
currently assessing.

STEP 5 | If the threat violated a Malware policy rule, you can also view information about the hash
and the associated WildFire Analysis Report to learn about the malicious behavior WildFire
observed.
You can then use this information to help you remediate the malware on your endpoints to prevent
it from propagating. If you disagree with a WildFire verdict, you can submit a report describing why
you believe the verdict is incorrect to Palo Alto Networks. For more information, see Review WildFire
Analysis Details.

STEP 6 | Retrieve data from the endpoint.


1. From the details view of a security event, select Retrieve Data.

2. Confirm the action to Retrieve data.


The Traps management service displays the status of the data retrieval request in the Details of the
security event.

84 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
You can also go to the Logs > Data Retrieval page to view all data collected from Traps agents. See
Data Retrieval Logs.
3. After the Traps agent uploads the data to the Traps management service, you can download it to
further assess and understand the activity associated with the event.
To view additional details about an endpoint including the policy applied on the endpoint, see
Manage Registered Endpoints.

STEP 7 | To help track your progress as you analyze a security event:


1. Enter or view comments for the event: Select Comments, then enter and submit the comment.
2. View the change history for a security event: Select History.

STEP 8 | (Optional) If after reviewing the details about a security event, you want to grant an exception
to the security policy that triggered the event, Create a Policy Exception.
To configure an exception for an event triggered by your exploit policy, configure a Process Exception.
To configure an exception for an event triggered by your malware policy, configure a Hash Exception.
Exceptions are not available for restriction policy rules.

STEP 9 | After you complete your investigation, change the STATUS of the security event to Closed
to indicate to other administrators that no additional assessment is required. You can also
optionally archive the event:
1. From the Security Events dashboard, select the events you want to archive.
The Traps management service displays a menu of actions to manage the event.

2. Select the option to archive selected security events.


3. Review the warning message and confirm you want to Archive the events.
The Traps management service removes the security event from the Security Events dashboard.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 85
© 2018 Palo Alto Networks, Inc.
Create a Policy Exception
In some cases, you may need to override the applied security policy to change whether Traps allows a
process or file to run on an endpoint. To override the security policy, you can configure any of the following
types of policy exceptions:
• Create a Process Exception—Allow processes blocked by an exploit security module to run on an
endpoint. You can also disable all exploit protection modules for a process.
• Create a Hash Exception—Explicitly define a verdict for a file (Benign or Malware). The Traps
management service distributes the verdict to all Traps agents that attempt to run the file. Traps will
evaluate the verdict you specify for the file instead of the WildFire verdict.
• Manage Support Exceptions—Palo Alto Networks defined exceptions that can be used to temporarily
address policy issues for specific customers.

Create a Process Exception


When a specific module in your exploit security profile blocks a process from running and you want to allow
a process to run on one or more endpoints, configure a process exception.
You can configure a process exception to disable a specific exploit protection module on a specific process
or you can configure a process exception to disable all protection modules for the process. To disable a
specific exploit protection module on a specific process you can also use a security event to populate the
process exception with the necessary details such as module, process, and endpoint. See the following
topics to create a process exception:
• Create a process exception from a security event.
• Create a process exception from scratch.
• Disable all exploit protection modules for a process.

• Create a process exception from a security event.


To pre-populate a process exception to exclude a process from protection by a specific exploit
protection module using the details from a security event:
1. From the Security Events dashboard on the Traps management service, select the security event for
which you want to base a policy exception.
2. At the top of the details view, select Create Exception.

86 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
3. Add additional Hosts, if needed.
1. Click + to open the endpoint search dialog.
2. Add endpoints by the endpoint hostname.
To narrow the list of endpoints you can begin typing the name in the search field. The Traps
management service provides autocompletion as you type. In a multi-domain environment, you
can also filter the list of endpoints by Domain. To add all endpoints that match the platform type,
type any into the search field. Use the any option with caution and instead consider assigning
a different security profile to your policy rule if the applied security policy is not meeting your
needs.
4. Enter a comment to explain why you are granting an exception to the security policy.
5. To save the policy exception, click .
After the Traps management service distributes the updated security policy to the agent at the next
heartbeat communication, the next time the activity is repeated, Traps will permit the process to run.
6. At any time, you can return to the Exceptions > Process Exceptions page to make changes to the
exception or Disable or delete a process exception. if it is no longer required.

• Create a process exception from scratch.


To create a process exception to exclude a process from protection by a specific exploit protection
module without using a security event to populate the exception details:
1. Select Exceptions > Process Exceptions.
2. Selection Actions > Create Process Exception.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 87
© 2018 Palo Alto Networks, Inc.
3. Enter the Process Name for which you want to disable protection.
4. Select the Platform to which the exception applies.
5. Select the exploit protection Module that you want to disable on the process.
6. Select Disable.
The Traps management service adds the exception to the Process Exceptions page.
7. Apply the exception to one or more Hosts.
Until you apply the exception to one ore more hosts, the exception is active but does not apply to
any endpoint.
1. Click the edit icon .
2. Click + to open the endpoint search dialog.
3. Add endpoints by the endpoint hostname.
To narrow the list of endpoints you can begin typing the name in the search field. The Traps
management service provides autocompletion as you type. In a multi-domain environment, you
can also filter the list of endpoints by Domain. To add all endpoints that match the platform type,
type any into the search field. Use the any option with caution and instead consider assigning
a different security profile to your policy rule if the applied security policy is not meeting your
needs.
8.
Click save .
The Traps management service sends the latest policy with the hash exception to the specified
endpoints at the next heartbeat communication with the Traps agent.
9. At any time, you can return to the Exceptions > Process Exceptions page to make changes to the
exception or Disable or delete a process exception. if it is no longer required.

• Disable all exploit protection modules for a process.


1. Select Exceptions > Process Exceptions.
2. Selection Actions > Disable Process Protection.
3. Enter the Process Name for which you want to disable protection.
4. Select the Platform to which the exception applies.
5. Select Disable.
The Traps management service adds the exception to the Process Exceptions page and identifies the
Module as Disable Process Protection.
6. Apply the exception to one or more Hosts.
Until you apply the exception to one or more hosts, the exception is active but does not apply to any
endpoint.
1. Click the edit icon .
2. Click + to open the endpoint search dialog.
3. Add endpoints by the endpoint hostname.
To narrow the list of endpoints you can begin typing the name in the search field. The Traps
management service provides autocompletion as you type. In a multi-domain environment, you
can also filter the list of endpoints by Domain. To add all endpoints, type any into the search field.

Use the any option with caution and instead consider assigning a different security
profile to your policy rule if the applied security policy is not meeting your needs.
7.
Click save .

88 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
The Traps management service sends the latest policy with the hash exception to the specified
endpoints at the next heartbeat communication with the Traps agent.
8. At any time, you can return to the Exceptions > Process Exceptions page to make changes to the
exception or Disable or delete a process exception. if it is no longer required.

• Disable or delete a process exception.


If a process exception is no longer required you can temporarily disable or permanently delete it.
1. Return to the Exceptions > Process Exceptions.
For each process, the Process Exceptions page displays the Profile Type, process name, and
endpoints to which to which the exception applies. The page also displays the time the exception was
last modified, and any comments entered to describe the exception.
2. Select the check box next to the policy exception.
3. At the top of the Process Exception table, select the appropriate action, either to disable or to
delete the process exception.
From the edit view of a process exception, you can also select these actions. You can also Disable or
Delete the process exception by selecting the action from the menu that appears to the right of the
comments column when you hover over the process exception.
If you disable the exception, you can return to the Exceptions page at a later time to enable it. If you
delete the exception, the Traps management service permanently deletes the exception and removes
it from view.

Create a Hash Exception


From the Hash Exceptions page you can view all hash exceptions that override the WildFire verdict.
For each file, the Hash Exception page displays the SHA256 hash, the exception verdict (set by an
administrator), the WildFire verdict (for comparison), the time the exception was last modified, and any
comments entered to describe the exception.
To add a new hash exception:

• Create a hash exception for a file using the file name.


1. Select File Analytics.
2. Use the filters to find the file.
3. Select the File Name to open the details view for the file.
4. Click Create Exception.
5. Select the Verdict for the file, Benign or Malware.
6. Click to save the exception.
7. If at any point you no longer need to exception, you can delete it from the Exceptions > Hash
Exceptions page.

• Create a hash exception using the SHA256 hash value.


1. Identify the hash of the file for which you want to create an exception.
You can create a hash exception from either the Exceptions or File Analytics pages.
From the Exceptions page.
1. Select Exceptions > Hash Exceptions.
2. Click Actions > Create.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 89
© 2018 Palo Alto Networks, Inc.
As an alternative to defining individual hashes, you can also use the Import CSV
action to import hashes and verdicts as a comma-separated values (CSV) file. The
Traps management service accepts a CSV file with the following fields: Verdict,
Hash, Name, and FileType, where:
• Verdict—0 for benign or 1 for malware
• Hash—SHA256 hash value
• Name—Name of the file
• FileType—One of the following:
• 0—Unknown
• 1—PE
• 2—Mach-O
• 3—DLL
• 4—Office File
• 5—ELF
For example:

3. Enter the SHA256 hash and corresponding verdict—Benign or Malware.


4. Click + to repeat the process for up to four additional files (five total) and then click Add when
finished.

From the File Analytics page.


1. Enter the SHA256 hash and corresponding verdict—Benign or Malware.
2. Select to save the hash exception.
The Traps management service delivers the updated security policy at the next heartbeat
communication with the agent. When the file next tries to run, Traps treats it according to the hash
exception policy.

• Disable or delete a hash exception:


1. Select the type of policy exception, Hash Exceptions.
2. Select the check box next to the policy exception and then click the edit icon.
3. Select Disable to temporarily disable the policy exception or Delete to remove the exception
completely.
If you select Disable, you can return to the Exceptions page at a later time to Enable the exception. If
you Delete the exception, the Traps management service removes the exception from view.

90 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
Manage Support Exceptions
Support exceptions are not configurable but are available as a tool for Palo Alto Networks to use to issue
temporary amendments or changes to your specific security policy. Palo Alto Networks can issue support
exceptions which change the default configuration of an internal module and other settings related to your
security policy. To deliver a support exception, Support can provide a JSON file containing the configuration
changes or amendments to your default policy. After receiving the support exception file, you can manually
import it to the Traps management service.
The Support Exceptions page displays all support exceptions issued to your Traps management service
tenant. This page is typically blank unless you are actively working with Support to address a policy-related
issue. When present, the Traps management service displays the Name of the support exception, the
Profile Type changed by the support exception, any Endpoints to which the support exception applies, the
creation time, and any administrative comments logged for the exception.
After Palo Alto Networks issues your tenant a support exception, you can assign it to one or more hosts.

STEP 1 | Delete or disable any exceptions you defined which will conflict with the support exception.
Administrator-defined exceptions take precedence over support exceptions.

STEP 2 | Select Exceptions > Support Exceptions.

STEP 3 | Import the support exception you received from Support.


1. Select Actions > Import Support Exception.
2. Select the JSON file you want to import and then click Upload.

STEP 4 | Select the Name of the support exception.

STEP 5 | To enable the support exception, assign it to one or more hosts.


Click the + to select a host to which the support exception applies. Repeat the process to add additional
hosts.

STEP 6 | Enter an administrative comment that explains the purpose of the support exception or
provides any additional details.

STEP 7 | To save the policy exception, click .

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 91
© 2018 Palo Alto Networks, Inc.
The Traps management service issues the policy exception to the host at the next heartbeat
communication.

STEP 8 | After you are done with the support exception, you can temporarily disable it or permanently
delete it.
Select the check box for the support exception and click the icon for the desired action.

92 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
Scan an Endpoint for Malware
In addition to blocking the execution of malware, Traps can scan your Windows endpoints and attached
removable drives for dormant malware that is not actively attempting to run. If you enable Traps to
quarantine malicious files, Traps can also automatically quarantine any malware it finds during the scan.
Otherwise, Traps only reports the malware to the Traps management service so that you can manually take
additional action to remove the malware before it is triggered and attempts to harm the endpoint.
You can scan your endpoints for malware in two ways: You can enable automatic periodic scanning of
endpoints as part of a malware security profile (see Add a New Malware Security Profile) and you can run
an on-demand scan on one or more endpoints.
When a scan is triggered on an endpoint, Traps collects hashes of all executable files, Office files containing
macros, and DLLs and sends them to the Traps management service. The Traps management service
then submits the hashes to WildFire to determine whether any of the files are malware. If the hash is
unknown to WildFire, the Traps management service can also submit the file for in-depth analysis. The
Traps management service then logs a security event for each file that WildFire returns with a malware
verdict.
After the scan completes, you can view the high level Scanning Report on the Endpoints >
<endpoint_name> > Policy tab.

The Scanning Report provides clickable results to help you quickly identify any files that require
remediation.
• Malware—Takes you to a filtered view of Security Events reported by the Traps agent for this scan. For
additional details about an event, select the event name. Use the information—such as the quarantine
status and file path—to determine whether you need to take additional action to remediate the file on
the endpoint.
• Errors—Takes you to a filtered view of total events categorized by the event type File Scan Failed on the
specific endpoint.
To run a scan on-demand:

STEP 1 | Select Endpoints.

STEP 2 | Select the Windows endpoints you want to scan.

To reduce the number of results, use the endpoint name search and filters (Status,
Operating System (OS), or endpoint Group) at the top of the table.

STEP 3 | Select to initiate scanning on the endpoints.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 93
© 2018 Palo Alto Networks, Inc.
You can also initiate a scan on an endpoint from the details view (click Scan Now).

Scanning is available on Windows endpoints only. The Traps management service


ignores any scanning requests for non-Windows endpoints. Scanning is also not available
for inactive endpoints.

If at anytime, you want to abort the scan, select the endpoints, and then click the abort scan icon . Or,
to abort the scan of a specific endpoint, select Abort Scan from the details view of an endpoint and then
confirm the action.

STEP 4 | View the scan results.


After Traps completes a scan, it reports the results to the Traps management service. The Traps
management service logs a security event for each malicious file Traps detected. The Traps management
service also summarizes the scanning results per endpoint.
To view the Scanning Report for a specific endpoint:
1. On the Endpoints page, select the name of the endpoint for which you want to view the scan results.
The Traps management service displays additional details about the endpoint.
2. Select Policy.
3. View the Scanning Report.
During the scan, the scan STATUS displays as Pending.
After the scan completes, the Traps management service displays the number of malicious files Traps
detected, the total number of FILES SCANNED, and the total number of file errors that occurred
during the scan.
4. To view malware detected during the scan, select Malware.
The Traps management service jumps to the filtered list of security events detected during the scan.

94 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
The Traps management service logs scanning events for malicious files with an EVENT type of
WildFire Malware and the ACTION of Scanned. To view in-depth details about the file behavior, you
can Review WildFire Analysis Details.
5. To view files which failed to scan, select Errors.
The Scanning Report displays the total number of errors that occurred during the scan. When you
select Errors, the Traps management service jumps to the filtered list of all file scanning errors logged
for the endpoint during the selected time period (by default, 30 days). If you ran multiple scans on
an endpoint, the total number of events logged for the endpoint can be greater than the number
displayed in an individual Scanning Report.

To repeat the query without locating the Scanning Report, use the query filters at the
top of the Endpoint Logs page (Time, endpoint name, and event Type).

For additional context on an event, review the Message field to determine the file and reason for the
scan failure.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 95
© 2018 Palo Alto Networks, Inc.
Investigate a File
Each time a file attempts to run on a Mac, or Windows endpoint, Traps logs the event and reports it to the
Traps management service. The File Analytics page in the Traps management service displays all the files
that run on your endpoints, their corresponding verdicts, and other details about the files. When a security
event occurs or a specific file warrants investigation, you can review the WildFire Analysis Report, view
which endpoints have attempted to run the file, and if necessary, create an exception to override the official
verdict.

To investigate a file:

STEP 1 | Select File Analytics.

STEP 2 | Filter for one or more files.


• By timeframe—Select the Timeframe period for which you would like to filter the files: Last 24 hours,
Last 7 days, Last 30 days, Last 3 Months.
• By file name or SHA256—Enter a full or partial File Name in the Search field. Or to search for a file
by its SHA256 hash value, select SHA256 instead of File Name and enter the full value.
• By endpoint—Enter a full or partial Endpoint hostname (or alias, if assigned) in the Search field.
The Traps management service filters the results based on your filter or search criteria.

STEP 3 | Select the File Name to view additional details about the file.
The Traps management service summarizes details about the file and displays the most recent verdict
assigned to the file along with the verdict source.

STEP 4 | To view the endpoints on which a file attempted to run during the last month, click the
Endpoints tab.
The Traps management service displays details about each Endpoint including the Endpoint name, User
that was logged in when the file attempted to run, full File path, local analysis verdict (if issued), Content
Version for the local policy, and the date when the file was Last seen.

96 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
STEP 5 | Select the WildFire tab to Review WildFire Analysis Details

STEP 6 | If after analyzing the WildFire Analysis Report and completing any additional research, you
believe the verdict for the file is incorrect:
• Report an incorrect verdict to Palo Alto Networks.
• Create a Hash Exception

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 97
© 2018 Palo Alto Networks, Inc.
Review WildFire Analysis Details
For each file, the Traps management service receives a file verdict and the WildFire Analysis Report
detailing additional information you can use to assess the nature of a file.
• Drill down into WildFire Analysis Details.
• Download the official WildFire report.
• Report an incorrect verdict to Palo Alto Networks.

• Drill down into WildFire Analysis Details.


WildFire analysis details are available for files that receive a WildFire verdict. You can view the WildFire
Analysis Report on the WildFire tab of a File Analytics entry. If the file attempted to run and triggered a
Local Analysis or WildFire event, you can also view the report from the associated Security Events entry.
1. Select the Event on the Security Events page or the File Name on the File Analytics page.
The Traps management service displays additional details about the security event or file.
2. Select WildFire.
The following figure displays an example of the WildFire analysis details of a file on the File Analytics
page, however the details are very similar to what you would see on the WildFire tab of a security
event.

98 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
3. Select the testing environment, for example Windows 7 x64 SP1, to review the summary and
additional details for that testing environment.
4. Expand the different sections of the report to view the reported behavior for the file.

• Download the official WildFire report.


1. Select the Event on the Security Events page or the File Name on the File Analytics page.
2. Select the WildFire tab.
3. Select at the top of the WildFire details view to download the report.
The Traps management service exports the PDF report for you to save.

• Report an incorrect verdict to Palo Alto Networks.


1. Select the Event on the Security Events page or the File Name on the File Analytics page.
2. Select the WildFire tab.
3. Review the sample information and verify the verdict that you are reporting.
4. Select at the top of the WildFire details view to report the file to Palo Alto Networks.
5. Suggest a different Verdict for the hash.
6. (Optional) Enter an email address to receive an email notification after Palo Alto Networks completes
the additional analysis.
7. (Optional but recommended) Enter any details that may help us to better understand why you
disagree with the verdict.
8. Click Report.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 99
© 2018 Palo Alto Networks, Inc.
Manage Quarantined Files
You can enable Traps to quarantine malicious files on Windows endpoints as part of a malware security
profile. When malware attempts to run, Traps automatically quarantines the file by moving it from a local or
removable hard-drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine). This isolates
and prevents the file from causing any harm to your endpoints.
To evaluate whether an executable file is considered malicious, Traps uses information from the following
sources:
• WildFire threat intelligence
• Local analysis
• Hash exception poilcy
Due to the nature of our ever-changing threat landscape, WildFire can reevaluate the nature of a file and,
if it determines the file to be benign, update the WildFire verdict. You can also Create a Hash Exception to
change the file verdict in your Traps management service tenant. You might create a hash exception if, after
using available threat intelligence—such as from WildFire or AutoFocus—you believe a quarantined file is
not malicious and is instead benign.
To manage quarantined files, you can:
• View the quarantine status for a malicious file.
• Review details about files that are eligible for restoration.
• Restore a benign file to its original location.
• Archive a restoration candidate.

• View the quarantine status for a malicious file.


The Traps management service displays the quarantine status in the details view of a security event.
1. Select Security Events.
2. Select the name of the Event for which you want to view the quarantine status.
The Traps management service displays additional details about the security event.
3. In the Module area of the additional details view, view the QUARANTINE STATUS.

The QUARANTINE STATUS is one of the following:


• Quarantined—Traps successfully quarantined the file on the endpoint.
• Quarantine Failed—Traps failed to quarantine the file before the next endpoint restart.
• Not Quarantined—Traps did not quarantine a file due to the malware security policy (Quarantine
malicious files is disabled).
• Quarantine Record Deleted—The quarantine record was deleted on the endpoint manually or by
Cytool.

100 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
• Pending Restore—The Traps management service has instructed the Traps agent to restore the
file, but Traps has not yet completed the action.
• Restore Succeeded—The Traps agent successfully restored the file to its original location on the
endpoint.
• Restore Failed—The Traps agent failed to restore the file within the timeout.

• Review details about files that are eligible for restoration.


The Traps management service displays all quarantined files whose verdict has changed from malware to
benign—either by WildFire or a hash exception—on the Logs > Restore Candidates page. If your malware
security policy does not treat grayware as malware, the Restore Candidates page also displays files
whose verdict changed from malware to grayware. Review all restoration candidates and decide whether
to restore the files to their original locations on your endpoints:
1. Select and then view all Restore Candidates.

For each file, the Traps management service displays the following information:
• First File Name—The name of file when Traps first logged an attempt to run.
• Verdict—Verdict change which made the file eligible for restoration
• Hash—SHA256 hash value for the file.
• Endpoints—Name and platform type of the endpoints on which the file was quarantined.
• Statuses—Quarantine or restoration status of the file, one of the following: Quarantined, Restore
Succeeded, Pending Restore, Restore Failed, Quarantine Record Deleted. For details on these
statuses, see View the quarantine status for a malicious file.
2. To view additional details about the file, select the First File Name associated with the file.
In addition to the fields above, the Traps management service displays the following information for
each endpoint on which the file was quarantined.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 101
© 2018 Palo Alto Networks, Inc.
• Endpoint—Name and platform type of the endpoint.
• File Name—File name on the endpoint.
• Status—Quarantine/restoration status of the file on the endpoint.
• Event—Unique identifier and link to the original security event.

• Restore a benign file to its original location.


If Traps quarantined a file due to a malware verdict, and you believe that file is not malicious and want
to restore it to its original location, you must first Create a Hash Exception. If you do not block grayware,
you can also restore files that change from a malware verdict to grayware.
You can restore a file using either of two methods:
• From the Logs > Restore Candidates page:
1. Select the check box next to the file, and click restore icon. From the details view of the
restoration candidate, you can also click Restore.

The Traps management service prompts you to confirm your selection.


2. Click Restore again to confirm. The Traps management service sends the instruction to restore the
file at the next heartbeat communication with the Traps agent on all endpoints on which the file
was quarantined.
• From the details view of a security event:
1. Select Create Exception.

102 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
© 2018 Palo Alto Networks, Inc.
2. Review the details of the exception and enter any comments to explain the reason for the
exception.
3. Click to save the exception.
The Traps management service prompts you to Restore the file, if desired.
4. Click Restore to restore the file immediately. Otherwise, to restore the file at a later time, click
Cancel. When you are ready to restore the file, go to the Logs > Restore Candidates page.
The Traps management service sends the instruction to restore the file at the next heartbeat
communication with the Traps agent on all endpoints on which the file was quarantined.

• Archive a restoration candidate.


At any time, you can remove a file from the Logs > Restore Candidates page.

If you remove a file before you restore it, the file will remain in quarantine.

From the Restore Candidates page:


1. Select the check box next to the file, and click the archive icon. From the details view of the
restoration candidate, you can also click Archive.

The Traps management service prompts you to confirm your selection.


2. Click Archive again to confirm.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events 103
© 2018 Palo Alto Networks, Inc.
104 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | Assess and Remediate Security Events
View and Manage Logs
A log is an automatically generated, time-stamped file that provides an audit trail for system
events on the Traps management system or the endpoint that the Traps agent monitors. Log
entries contain artifacts, which are properties, activities, or behaviors associated with the
logged event, such as the name of the endpoint and the action recorded.
The Traps management service categorizes logs as follows:

> Threat logs—Information about all security events logged by Traps, including malware and
exploit preventions, post-detection events, and notifications related to restriction rules that
occur on the endpoints in your organization. These logs are visible on the Security Events
page.
> Config logs—Audit logs recorded by Traps management service. These logs include
policy events, such as changes to the security policy, exception management, and
profile management. Audit logs also include other configuration changes, such as device
management, distribution management and system management. These logs are visible on
the Logs >Server Logs page.
> System logs—System logs contain data about the ongoing monitoring of Traps management
service and agent events. This includes changes or updates to license management, agent
registration, user authentication, agent connectivity status, agent upgrade and agent
protection status. System logs are often required for day-to-day operations as well as
support and troubleshooting activities. Traps management service system logs are visible on
the Logs >Server Logs page and Traps agent system logs are visible on the Logs > Endpoint
Logs page.
> Analytics Logs—File execution logs reported on an hourly basis. Information derived from
these logs is available on the File Analytics page.

For more information, see the following topics:

> Log Types and Severity Levels


> Data Retrieval
> View Logs from the Traps Management Service
> Filter Logs on the Traps Management Service
> Export Logs from the Traps Management Service
> Forward Traps Logs to a Syslog Server

105
106 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Log Types and Severity Levels
• Endpoint Logs
• Configuration Logs
• Policy Logs
• System Logs

Endpoint Logs
Endpoint logs display entries for events monitored by the Traps agent and are classified with a record type
of system and a category. The Traps agent logs an endpoint event for the following categories of events:
• Audit—Changes to the agent software, policy, or services as initiated by the administrator.
• Monitoring—Change in status for actions carried out or monitored by the Traps agent such as
quarantine, log quota, or policy applications.
• Status—Changes to the agent protection status.
Each entry includes the event category which identifies the type of configuration event that occurred, the
specific type of event, the severity of the event which corresponds to the event type, a descriptive message
which describes the log event, the username of the local active user on the endpoint, and the date and time
the event occurred.
The following describes the endpoint logs that you can view on the Traps management service.

Log Type Severity Record Type Category

Hash Exceptions Info system Audit


Updated Successfully
Message: Hash exception created for hash {processHash}, verdict changed to
{verdict}

Local Analysis Feature Low system Monitoring


Extraction Failed
Message: Local Analysis failed to extract feature from process {processName}
on machine {machineName}

Local Analysis Model Low system Monitoring


Failed
Message: Local Analysis failed to extract model on machine {machineName}

Module Initialization Low system Monitoring


Failed
Message: Module {moduleName} initiation failed on process {processName}
on machine {machineName}

Process Exceptions Info system Audit


Updated Successfully
Message: {SupportProcess} exception applied on process {processName}, on
module {moduleName}

Quarantine File Failed Low system Monitoring

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 107
© 2018 Palo Alto Networks, Inc.
Log Type Severity Record Type Category

Message: Failed to quarantine file {fileName} on machine {machineName}

Quarantine File Info system Monitoring


Succeeded
Message: Successfully quarantined file {fileName} on machine {machineName}

Restore Quarantined Medium system Monitoring


File Failed
Message: Failed to restore file {fileName} on machine {machineName}

Restore Quarantined Info system Monitoring


File Succeeded
Message: Successfully restored file {fileName} on machine {machineName}

Scanning Endpint Info system Monitoring


Completed
Message: Scanning for malicious files completed successfully on Machine
{machineName}

Scanning Endpoint Low system Monitoring


Failed to Complete
Message: Scanning for malicious files failed on Machine {machineName}

Server Message Low system Monitoring


Handing Error
Message: Action {SAMName} failed on machine {machineName}

Server Message Info system Audit


Handled Successfully
Message: Action {SAMName} execution completed successfully on machine
{machineName}

Traps Agent Content Low system Monitoring


Update Failed
Message: Security Content failed to update on {machineName}

Traps Agent Content Info system Audit


Updated Successfully
Message: Security Content updated successfully on {machineName}

Traps Agent Installation Critical system Audit


Failed
Message: Traps Agent version {agentVersion} failed to install on
{machineName}

Traps Agent Installed Info system Audit


Successfully
Message: Traps Agent version {agentVersion} installed successfully on
{machineName}

108 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Log Type Severity Record Type Category

Traps Agent Local Info system Audit


Configuration Changed
Message: Traps Agent configuration change locally:
{configurationDescription}, by user {localUser}

Traps Agent Policy Low system Monitoring


Update Failed
Message: Traps Agent policy failed to update on {machineName}

Traps Agent Policy Info system Audit


Updated Successfully
Message: Traps Agent policy updated successfully on {machineName}

Traps Agent Quota Low system Monitoring


Exceeded
Message: Traps Agent quota exceeded on machine {machineName}

Traps Agent Service Low system Monitoring


Paused
Message: Traps service {trapsServiceName} was paused on machine
{machineName}

Traps Agent Service High system Audit


Start Failed
Message: Failed to start Traps service {trapsServiceName} on machine
{machineName}

Traps Agent Service High system Audit


Stopped
Message: Traps service {trapsServiceName} was stopped on machine
{machineName}

Traps Agent Uninstalled Info system Audit

Message: Traps Agent version {agentVersion} uninstalled successfully on


{machineName}

Traps Agent Upgrade Medium system Monitoring


Failed
Message: Traps Agent failed to upgrade from version {oldAgentVersion} to
version {newAgentVersion} on {machineName}

Traps Agent Upgraded Info system Audit


Successfully
Message: Traps Agent upgraded successfully from version {oldAgentVersion}
to version {newAgentVersion} on {machineName}

Traps Fully Protected Info system Status

Message: Machine {machineName} is fully protected

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 109
© 2018 Palo Alto Networks, Inc.
Log Type Severity Record Type Category

Traps Protection Critical system Status


Incompatibility
Message: Machine {machineName} is not protected due to {osVersion}
incompatibility

Server Logs
From the Server Logs pages, you can view the following classes of logs:
• Configuration Logs
• Policy Logs
• System Logs

Configuration Logs
Configuration logs display entries for changes to the Traps management service and are classified with a
record type of config. The Traps management service logs a configuration event for the following categories
of events:
• Device Management—Administrative changes to endpoint groups and agent uninstall and upgrade
messages.
• Distribution Management—Administrative management of Traps software packages.
• Restore Candidate—Administrative management of quarantined files.
• Security Event Management—Administrative management of security events.
• System Management—Data management actions such as requests for, download, or export of data.
Each log entry includes the event category which identifies the type of configuration event that occurred,
the specific type of event, the severity of the event which corresponds to the event type (Configuration
logs all receive the Info severity level), a descriptive message which describes the log event, the username
of the administrator who initiated the change, and the date and time the event occurred.
The following table describes the configuration logs that you can view on the Traps management service.

Log Type Severity Record Type Category

Data Downloaded Info config System Management

Message: {TechSupportFileInstallationPackageWildFireReport} was


downloaded from {currentScreentable} by admin user {userFullName} -
{userName}

Data Exported Info config System Management

Message: Data Exported from {currentScreentable} by admin user


{userFullName} - {userName}

Distribution Deleted Info config Distribution


Management

Message: Endpoint distribution package {distributionName} was deleted by


admin user {userFullName} - {userName}

110 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Log Type Severity Record Type Category

Endpoint Action Info config Device Management


Executed
Message: Endpoint action of type {actionType} was executed on endpoint
{endpointName} by admin user {endpointName} - {userFullName}

Endpoint Action Info config Device Management


Omitted
Message: Actions of type {actionType} were not sent to {ignoredCount}
endpoints

Endpoint Group Info config Device Management


Created
Message: A new endpoint group {groupName} was created by admin user
{userFullName} - {userName}

Endpoint Group Info config Device Management


Deleted
Message: Endpoint group {groupName} was deleted by admin user
{userFullName} - {userName}

Endpoint Group Edited Info config Device Management

Message: Endpoint group {groupName} was edited by admin user


{userFullName} - {userName}

New Distribution Info config Distribution


Created Management

Message: An endpoint distribution package {distributionName} was created


by admin user {userFullName} - {userName}

Restore Candidate Info config Restore Candidate


Archive
Message: Marked {archivedNumber} Restore Candidates as archived

Restore Candidate Info config Restore Candidate


Restore
Message: Initiated restore proccess to {restoredNumber} Restore Candidates
with hash {hash}

Retrieve Data Message Info config Security Event


Created Management

Message: A retrieve security event data message was created for event
{preventionKey} on endpoint {endpointID} by admin user {userFullName} -
{userName}

Scan Message Created Info config Device Management

Message: Traps Agent scan message created for endpoint {endpointName} by


admin user {userFullName} - {userName}

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 111
© 2018 Palo Alto Networks, Inc.
Log Type Severity Record Type Category

Security Event Archived Info config Security Event


Management

Message: Security Event {preventionKey} was archived by admin user


{userFullName} - {userName}

Security Event Note Info config Security Event


Added Management

Message: A new note was added to Security Event {preventionKey} by admin


user {userFullName} - {userName}

Tech Support File Info config System Management


Requested
Message: A Tech Support File was requested from endpoint {endpointName}
by admin user {userFullName} - {userName}

Traps Agent Uninstall Info config Device Management


Message Created
Message: Traps Agent uninstall message created for endpoint
{endpointName} by admin user {userFullName} - {userName}

Traps Agent Upgrade Info config Device Management


Message Created
Message: Traps Agent update to version {agentVersion} message was created
for endpoint {endpointID} by admin user {userFullName} - {userName}

Policy Logs
Policy logs display entries for changes to the security policy and are classified with a record type of config.
The Traps management service logs a policy event for the following subclasses of events:
• Exception Management—Administrative management of policy exceptions.
• Policy Management—Administrative management of policy rules.
• Profile Management—Administrative management of security profiles.
• System Management—Errors applying policies.
Each entry includes the event category which identifies the type of configuration event that occurred,
the specific type of event, the severity of the event which corresponds to the event type (Policy logs all
receive the Info severity level), a descriptive message which describes the log event, and the date and time
the event occurred. If an administrator initiated the change, the entry also includes the username of the
administrator.
The following table describes the policy logs that you can view on the Traps management service.

Log Name Severity Record Type Category

Agent Action Command Info config System Management


Omitted
Message: {samName} command was not sent to {numberOfEndpoints}
endpoints

112 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Log Name Severity Record Type Category

Error Creating Agent Info config System Management


Action Command
Message: Faild to send {samName} command to Agent {agentId}

Error Updating Data Info config System Management


Retrive Info
Message: Faild to update information of Data Retrive command {samId} for
Security Event {preventionKey}

Exception Deleted Info config Exception Management

Message: {exceptionMsg} was deleted by admin user {userFullName} -


{userName}

Exception Disabled Info config Exception Management

Message: {exceptionMsg} was disabled by admin user {userFullName} -


{userName}

Exception Edited Info config Exception Management

Message: {exceptionMsg} was edited by admin user {userFullName} -


{userName}

Exception Enabled Info config Exception Management

Message: {exceptionMsg} was enabled by admin user {userFullName} -


{userName}

Exception Note Added Info config Exception Management

Message: A note was added to {exceptionMsg} by admin user {userFullName}


- {userName}

Hash Exception Info config Exception Management


Created
Message: Exception was created for hash {hash} overriding the verdict
from {hashOldVerdict} to {hashNewVerdict} by admin user {userFullName} -
{userName}

Imported Hash Info config Exception Management


Exception
Message: Imported {exceptionCount} hashes by admin user {userFullName} -
{userName}

Imported support Info config Exception Management


exception
Message: Imported support exception named: {userFullName} by admin user
{userName} - {3}

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 113
© 2018 Palo Alto Networks, Inc.
Log Name Severity Record Type Category

Inserted Hash Info config Exception Management


Exception
Message: Inserted hash exceptions: {exceptionID} by admin user
{userFullName} - {userName}

Inserted process Info config Exception Management


exception
Message: Inserted process exception with module {exceptionModule},
process {exceptionProcess} and platform {exceptionPlatform} by admin user
{userFullName} - {userName}

New Policy Rule Info config Policy Management


Created
Message: A new Traps policy rule {PolicyRuleId} was created by admin user
{userFullName} - {userName}

New Profile Created Info config Profile Management

Message: A Traps profile {ProfileName} was created by admin user


{userFullName} - {userName}

Policy Rule Deleted Info config Policy Management

Message: Traps policy rule {PolicyRuleId} was deleted by admin user


{userFullName} - {userName}

Policy Rule Edited Info config Policy Management

Message: Traps policy rule {PolicyRuleId} was edited by admin user


{userFullName} - {userName}

Policy Rule Reordered Info config Policy Management

Message: Policy Rule {PolicyRuleId} order was changed to {newOrderNumber}


by admin user {userFullName} - {userName}

Policy Rule Status Info config Policy Management


Changed
Message: Traps policy rule {PolicyRuleId} status was changed to
{enableddisabled} by admin user {userFullName} - {userName}

Process Exception Info config Exception Management


Created
Message: A new process exception with module {exceptionModule}, process
{exceptionProcess} and platform {exceptionPlatform} was created from
security event {preventionKey} by admin user {userFullName} - {userName}

Profile Deleted Info config Profile Management

Message: Traps Profile {ProfileName} was deleted by admin user


{userFullName} - {userName}

114 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Log Name Severity Record Type Category

Profile Edited Info config Profile Management

Message: Traps Profile {ProfileName} was edited by admin user


{userFullName} - {userName}

System Logs
System logs display entries for changes to the Traps management service and are classified with a record
type of system and category. The Traps management service logs a system event for the following
categories of events:
• Licensing—License capacity and change events.
• Provisioning—Agent onboarding issues.
• Security Event—Issues saving prevention data related to a security event.
• User Authentication—Agent authentication issues commonly due to an unauthorized endpoint.
Each entry includes the event category which identifies the type of event that occurred, the specific type of
system event, the severity of the event which corresponds to the event type, a descriptive message which
describes the log event, and the date and time the event occurred.
The following table describes the system logs that you can view on the Traps management service.

Log Name Severity Record Type Category

Agent Confirmation High system Provisioning


Failed
Message: Agent confirmation failed for agent: {agentId}

Agent Registration High system Provisioning


Failed
Message: Agent registration to distribution {distributionId} failed. Error:
{tenantId} - {errorMessage}

Agent Uninstall Failure High system Provisioning

Message: Agent uninstall failed for agent: {agentId}

Agent is Unauthorized High system User Authentication

Message: Agent {agentId} is unauthorized

Duplicate Agent ID Medium system User Authentication


Detected
Message: Tried to create token data for duplicate agent id {agentId}

Failed Getting High system Provisioning


Subdomain
Message: Core subdomain query failed for agent: {agentId}

Failed to save High system Security Event


prevention

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 115
© 2018 Palo Alto Networks, Inc.
Log Name Severity Record Type Category

Message: Failed to store prevention data in db.

License capacity grace Medium system Licensing

Message: Licenses pool reached capacity grace

License capacity Medium system Licensing


reached
Message: Licenses pool reached full capacity

License capacity Medium system Licensing


warning
Message: Licenses pool reached {percent}% capacity

License expiration Medium system Licensing


warning
Message: License will expire in less then {days} days.

License expired Medium system Licensing

Message: License expired

Tenant DS pairing High system Provisioning


modification failed
Message: Tenant {tenantExternalName} directory service pairing modification
failed, status code: {statusCode}

Tenant DS pairing Info system Provisioning


modification
successfully Message: Tenant {tenantExternalName} paired successfully with directory
service {dsName} by user: {activeUser}

Tenant DS pairing Info system Provisioning


removal successfully
Message: Tenant {tenantExternalName} pairing successfully removed with
directory service by user: {activeUser}

Tenant WF api key High system Provisioning


modification failed
Message: Tenant {tenantExternalName} WF api key modification failed, status
code: {statusCode}

Tenant WF api Info system Provisioning


key modification
successfully Message: Tenant {tenantExternalName} WF api key successfully modified by
user: {activeUser}, new API key: {newWFAPIkey}

Tenant created Info system Provisioning


successfully
Message: Tenant {tenantExternalName} was created successfully

116 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Log Name Severity Record Type Category

Tenant license High system Provisioning


expansion failed
Message: Tenant {tenantExternalName} license expansion failed, status code:
{statusCode}

Tenant license Info system Provisioning


expansion successfully
Message: Tenant {tenantExternalName} number of licenses was expended
successfully, new number of licenses: {newLicenseNumber}

Tenant license renewed High system Provisioning


failed
Message: Tenant {tenantExternalName} license renewal failed, status code:
{statusCode}

Tenant license renewed Info system Provisioning


successfully
Message: Tenant {tenantExternalName} license was renewed successfully,
new expiration date: {newLicenseExpirationDate}

Tenant name High system Provisioning


modification failed
Message: Tenant {tenantExternalName} name modification failed, status
code: {statusCode}

Tenant name Info system Provisioning


modification
successfully Message: Tenant {oldName} was modified with name: {newName} by user:
{activeUser}

Unauthorized Agent High system User Authentication


Request
Message: Got request from unauthorized agent {agentId}

User login Info system Provisioning

Message: User {username} has logged in

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 117
© 2018 Palo Alto Networks, Inc.
Data Retrieval
To help you troubleshoot a system or security event, you can collect the following types of files:
• Tech Support File—On-demand aggregation of all logs for an endpoint to aid Technical Support in
troubleshooting and diagnosing system issues.
• Security Event Data—On demand aggregation of all forensic data (such as the memory dump) associated
with a security event.
For each log, you can view the following information:

Field Description

FILE NAME Name of the log ZIP file. If the Traps management service has received
the file, the file name also provides a link to download the file.

STATUS Status of the file upload. Finished when the Traps management service
has received the file, Pending while the upload is in progress, or Failed if
the upload was not successful or timed out.

TYPE Type of file requested: Tech Support File or Security Event Data.

SIZE Size of the file.

ENDPOINT Name of the endpoint for which data was requested.

UPLOAD TIME Universal coordinated time (UTC) when the data was requested,
adjusted for your local system time.

118 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
View Logs from the Traps Management
Service
You can view the different log types on the Traps management service in a tabular format. The logs on the
Traps management service are categorized by type and appear in various places throughout the interface.
Endpoint, server, and data management logs are available on the main Logs page and threat logs are
available on the Security Events pages. To learn more about the events that trigger the creation of entries,
see Log Types and Severity Levels.

STEP 1 | From the Traps management service, select Logs.

STEP 2 | Select the type of logs you want to review: Data Retrieval, Endpoint Logs, or Server Logs.
To view threat logs, go to the Security Events page.
From the Data Retrieval page, you can review the status of all files that have not been purged by the
data retention policy.

STEP 3 | (Optional) Filter Logs on the Traps Management Service.

STEP 4 | View details about log entries.

STEP 5 | (Optional) Export Logs from the Traps Management Service.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 119
© 2018 Palo Alto Networks, Inc.
Filter Logs on the Traps Management Service
Endpoint and server logs have a filter area that allows you to set a criteria for which log entries to display.
The ability to filter logs is useful for focusing on events on your Traps management service that possess
particular properties or attributes. Filter logs by artifacts that are associated with individual log entries.

• Filter by Time.
Select the Time period for which you would like to filter security events: Last 24 hours, Last 7 days, Last
30 days, Last 3 Months.

• (Endpoint logs only) Filter by an Endpoint name.


Enter a full or partial endpoint hostname or alias. The Traps management service filters the logs by the
name as you type.

• (Server logs only) Filter by log Category.


Each server log has an associated category (subclass) which identifies the log type. To determine the
category for a server log, see Server Logs. Then select one or more categories for which you would like
to filter security events from the Category drop-down. The Traps management service filters the logs by
the categories you select.

• Filter by log Type.


1. (Optional) Enter a full or partial log name to display logs whose name matches a word or phrase. The
Traps management service filters the list of logs as you type.
2. Select one or more log names.

• Filter by log Severity.


Select one or more severities for which you would like to filter security events: Critical, High, Medium,
Low, or Info.

120 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Export Logs from the Traps Management
Service
To archive or save endpoint and server logs for future use, you can export logs from the Traps management
service in comma-separated values (CSV) format.

STEP 1 | From the Traps management service, select Logs.

STEP 2 | Select the type of logs you want to export: Endpoint Logs or Server Logs.
To view threat logs, go to the Security Events page.

STEP 3 | Select the export icon.


The Traps management service displays a confirmation dialog with a count of the number of logs it will
include in the export file.
To reduce the number of logs you are exporting you can click Cancel and return the to the logs page to
Filter Logs on the Traps Management Service.

STEP 4 | Click Export.


The Traps management service exports the logs to a CSV file.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 121
© 2018 Palo Alto Networks, Inc.
Forward Traps Logs to a Syslog Server
The logs stored on the Logging Service are available for queries and reports using Panorama and the
Application Framework. If you need to fulfill your organization's legal compliance requirements, the Log
Forwarding app enables you to easily forward logs stored on the Logging Service to an external Syslog
receiver. For example, you can forward logs to a SIEM for long term storage, SOC, or internal audit
obligations.

To meet your long term storage, reporting and monitoring, or legal and compliance needs, you can configure
a Syslog receiver and export all logs or a subset of logs stored on the Logging Service in the IETF Syslog
message format defined in RFC 5424. For each instance of the Logging Service, you can one deploy an
instance of the Log Forwarding app and forward logs to a single Syslog destination.
The communication between the Logging Service and the Syslog destination uses Syslog over TLS, and
upon connection, the Logging Service validates that the Syslog receiver has a certificate signed by a trusted
root CA. The Log Forwarding app does not support self-signed certificates.
To begin forwarding logs:
• Configure Log Forwarding
• Traps Logs Format for Syslog Export from the Logging Service

Configure Log Forwarding of Traps Logs


STEP 1 | To enable you to activate and configure the Log Forwarding app, ensure you have the Logging
Service role in the Customer Support Portal.
See Assign Roles to Manage Cloud Services.

STEP 2 | Add a Log Forwarding App Instance.


Before you can use the Log Forwarding app, you must activate it. You can then add a Log Forwarding
app instance to the Cloud Service Portal for each instance of the Logging Service you have purchased.
Each instance of the Log Forwarding app can forward logs to a single destination, and is associated with
only one instance of the Logging Service.

STEP 3 | Forward Logs from the Logging Service to a SyslogServer.

122 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
When you configure the Log Forwarding app, you can choose the Log Types you want to forward (all
subtypes within a log source, such as Traps, or only specific subtypes). For Traps, you can send Threat,
Config, System, or Analytics logs.

Traps Logs Format for Syslog Export from the Logging Service
The following topics list the standard fields of each Traps log type that the Logging Service app can forward
to an external server. To facilitate parsing, the delimiter is a comma: each field is a comma-separated value
(CSV) string. The FUTURE_USE tag applies to fields that the Traps management service does not currently
implement.
• Threat Logs
• Config Logs
• System Logs
• Analytics Logs

Threat Logs
Format: recordType, class, FUTURE_USE, eventType, generatedTime, serverTime, agentTime, tzOffset,
FUTURE_USE, facility, customerId, trapsId, , serverHost, serverComponentVersion, regionId, isEndpoint,
agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, , severity, trapsSeverity,
agentVersion, contentVersion, , protectionStatus, preventionKey, moduleId, profile, moduleStatusId,
verdict, preventionMode, terminate, terminateTarget, quarantine, block, postDetected, FUTURE_USE,
eventParameters(Array), sourceProcessIdx(Array), targetProcessIdx(Array), fileIdx(Array), processes(Array),
files(Array), users(Array), urls(Array), description(Array)

Field Name Description

recordType Record type associated with the event which you can use when managing
logging quotas. Values are:
• config—Traps management service administration and configuration
changes.
• system—Automated system management and agent reporting events.
• analytics—Hourly hash execution report from the agent.
• threats—Security events that occur on the endpoints.

class Class of the Traps management service log; Values are: config, policy, system,
agent_log.

eventType Subtype of event.

generatedTime Universal Time Coordinated (UTC) equivalent of the time at which an event
was logged. For agent events, this represents the time on the endpoint. For
policy, configuration, and system events, this represents the time on the
Traps management service. ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Universal Time Coordinated (UTC) equivalent of the time at which the server
generated the log. If the log was generated on an endpoint, this field identifies
the time the server received the log. ISO-8601 string representation (for
example, 2017-01-24T09:08:59Z).

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 123
© 2018 Palo Alto Networks, Inc.
Field Name Description

agentTime Universal Time Coordinated (UTC) equivalent of the time at which an agent
logged an event. ISO-8601 string representation.

tzOffset Effective endpoint time zone offset from UTC, in minutes.

facility The Traps system component that initiated the event, for example:
TrapsAgent, TrapsServiceCore, TrapsServiceManagement,
TrapsServiceBackend.

customerId The ID that uniquely identifies the Logging Service instance which received
this log record.

trapsId Tenant external ID.

serverHost Hostname of the Traps management service.

serverComponentVersion Software version of the Traps management service.

regionId ID of the Traps management service region. Values are:


• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an endpoint.


• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Traps agent.

osType Operating system of the endpoint:


• 1—Windows
• 2—OS X/macOS
• 3—Android
• 4—Linux

isVdi Indicates whether the endpoint is a virtual desktop infrastructure (VDI):


• 0—The endpoint is not a VDI
• 1—The endpoint is a VDI

osVersion Full version number of the operating system running on the endpoint. For
example, 6.1.7601.19135.

is64 Indicates whether the endpoint is running a 64-bit version of Windows:


• 0—The endpoint is not running x64 architecture
• 1—The endpoint is running x64 architecture

agentIp IP address of the endpoint.

deviceName Hostname of the endpoint on which the event was logged.

124 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Field Name Description

deviceDomain Domain to which the endpoint belongs.

severity Syslog severity level associated with the event.


• 0—Critical
• 1—Error
• 2—Warning
• 3—Notice
• 4—Info
Each event also has an associated Traps severity. See the
messageData.trapsSeverity field for details.

trapsSeverity Severity level associated with the event defined for the Traps management
service. Each of these severities correspond to a syslog severity level:
• 0—Critical. Identical to the syslog 0 (Critical) severity level.
• 1—High. Corresponds to the syslog 1 (Error) severity level.
• 2—Medium. Corresponds to the syslog 2 (Warning) severity level.
• 3—Low. Corresponds to the syslog 3 (Notice) severity level.
• 4—Informational. Corresponds to the syslog 4 (Info) severity level.
• 5—Configuration. Corresponds to the syslog 4 (Info) severity level.
See also the severity log field.

agentVersion Version of the Traps agent.

contentVersion Content version in the local security policy.

protectionStatus Traps agent protection status:


• 0—Protected
• 1—OsVersionIncompatible
• 2—AgentIncompatible

preventionKey Unique identifier for security events.

moduleId Security module name.

profile Name of the security profile which triggered the event.

moduleStatusId Identifies the specific component of Traps modules. For example,


CYSTATUS_DEP_VIOLATION_UNALLOCATED or DLLPROT_BLACKLIST.

verdict Verdict for the file:


• 0—Benign
• 1—Malware
• 2—Grayware
• 4—Phishing
• 99—Unknown

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 125
© 2018 Palo Alto Networks, Inc.
Field Name Description

preventionMode Action carried out by the Traps agent (block or notify). The prevention mode
is specified in the rule’s configuration.

terminate Termination action taken on the file.


• 0—Traps did not terminate the file.
• 1—Traps terminated the file.

terminateTarget Termination action taken on the target file (relevant for some child process
execution events where we terminate the child process but not the parent
process); Values are:
• 0—Target file was not terminated.
• 1—Target file was terminated.

quarantine Quarantine action taken on the file; Values are:


• 0—File was not quarantined.
• 1—File was quarantined.

block Block action taken on the file:


• 0—File was not blocked
• 1—File was blocked.

postDetected Post detection status of the file:


• 0—Initial prevention.
• 1—Detected after an initial execution.

eventParameters(Array) Parameters associated with the type of event. For example, username,
endpoint hostname, and filename.

sourceProcessIdx(Array) The prevention source process index in the processes array.

targetProcessIdx(Array) Target process index in the processes array. A missing or negative value
means there is no target process.

fileIdx(Array) Index of target files for specific security events such as: Scanning, Malicious
DLL, Malicious Macro events.

processes(Array) All related details for the process file that triggered an event; Values are:
• 1—System process ID
• 2—Parent process ID
• 3—File object corresponding to the process executable file
• 4—Command line arguments (if any)
• 5—Description field of the VERSIONINFO resource
• 6—File version field of the VERSIONINFO resource

files(Array) File object includes:


• 1—SHA256 hash value of the file
• 2—SHA256 hash value of the macro

126 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Field Name Description
• 3—Raw full filepath
• 4—A predefined drive type: local, network mapped drive, UNC path host,
removable media, etc.
• 5—File name (with no extension), such as AdapterTroubleshooter
• 6—File extension (for example, EXE or DLL)
• 7—File type defined by the Traps agent
• 8—UTC file creation time
• 9—UTC file modification time
• 10—UTC file access time
• 11—File attributes bitmask
• 12—File size in bytes
• 13—Signer field of the code signing certificate

users(Array) Details about the active user on the endpoint when the event occurred:
• 1—Username of the active user on the endpoint.
• 2—Domain to which the user account belongs.

urls(Array) Additional details related to a URL:


• 1—Raw URL
• 2—URL schema; For example: HTTP, HTTPS, FTP, LDAP
• 3—Hostname in punycode
• 4—Host port
• 5—Canonicalized URL path part according to schema requirements
• 6—Query parameters (for http\s only)
• 7—Fragment parameters (for http\s only)

description(Array) (Mac only) Description of components related to Traps. For example, the
description of the ROP, JIT, Dylib hijacking modules for Mac endpoints is
Memory Corruption Exploit.

Config Logs
Format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime,
serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId,
isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn,
userFullName, userName

Field Name Description

recordType Record type associated with the event which you can use when managing
logging quotas. Values are:
• config—Traps management service administration and configuration
changes.
• system—Automated system management and agent reporting events.
• analytics—Hourly hash execution report from the agent.
• threats—Security events that occur on the endpoints.

class Class of the Traps management service log. Config logs have a value of config.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 127
© 2018 Palo Alto Networks, Inc.
Field Name Description

subClass Subclass of event. Used to categorize logs in the Traps management service
user interface.

subClassId Numeric representation of the subClass field for easy sorting and filtering.

eventType Subtype of event.

eventCategory Category of event, used internally for processing the flow of logs. Event
categories vary by class:
• config—deviceManagement, distributionManagement,
securityEventManagement, systemManagement
• policy—exceptionManagement, policyManagement, profileManagement
• system—licensing, provisioning, userAuthentication, workerProcessing
• agent_log—agentFlow

generatedTime Universal Time Coordinated (UTC) equivalent of the time at which an event
was logged. For agent events, this represents the time on the endpoint. For
policy, configuration, and system events, this represents the time on the
Traps management service. ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Universal Time Coordinated (UTC) equivalent of the time at which the server
generated the log. If the log was generated on an endpoint, this field identifies
the time the server received the log. ISO-8601 string representation (for
example, 2017-01-24T09:08:59Z).

facility The Traps system component that initiated the event, for example:
TrapsAgent, TrapsServiceCore, TrapsServiceManagement,
TrapsServiceBackend.

customerId The ID that uniquely identifies the Logging Service instance which received
this log record.

trapsId Tenant external ID.

serverHost Hostname of the Traps management service.

serverComponentVersion Software version of the Traps management service.

regionId ID of the Traps management service region. Values are:


• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an endpoint.


• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Traps agent.

severity Syslog severity level associated with the event.

128 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Field Name Description
• 0—Critical
• 1—Error
• 2—Warning
• 3—Notice
• 4—Info
Each event also has an associated Traps severity. See the
messageData.trapsSeverity field for details.

trapsSeverity Severity level associated with the event defined for the Traps management
service. Each of these severities correspond to a syslog severity level:
• 0—Critical. Identical to the syslog 0 (Critical) severity level.
• 1—High. Corresponds to the syslog 1 (Error) severity level.
• 2—Medium. Corresponds to the syslog 2 (Warning) severity level.
• 3—Low. Corresponds to the syslog 3 (Notice) severity level.
• 4—Informational. Corresponds to the syslog 4 (Info) severity level.
• 5—Configuration. Corresponds to the syslog 4 (Info) severity level.
See also the severity log field.

messageCode System-wide unique message code.

friendlyName Descriptive log message name.

msgTextEn Description of the event, in English.

userFullName Full name of the user logged in to the endpoint.

userName Email address associated with the logged on user.

System Logs
Format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime,
serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId,
isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn,
userFullName, userName

Field Name Description

recordType Record type associated with the event which you can use when managing
logging quotas. Values are:
• config—Traps management service administration and configuration
changes.
• system—Automated system management and agent reporting events.
• analytics—Hourly hash execution report from the agent.
• threats—Security events that occur on the endpoints.

class Class of the Traps management service log. System logs have a value of
system.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 129
© 2018 Palo Alto Networks, Inc.
Field Name Description

subClass Subclass of event. Used to categorize logs in the Traps management service
user interface.

subClassId Numeric representation of the subClass field for easy sorting and filtering.

eventType Subtype of event.

eventCategory Category of event, used internally for processing the flow of logs. Event
categories vary by class:
• config—deviceManagement, distributionManagement,
securityEventManagement, systemManagement
• policy—exceptionManagement, policyManagement, profileManagement
• system—licensing, provisioning, userAuthentication, workerProcessing
• agent_log—agentFlow

generatedTime Universal Time Coordinated (UTC) equivalent of the time at which an event
was logged. For agent events, this represents the time on the endpoint. For
policy, configuration, and system events, this represents the time on the
Traps management service. ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Universal Time Coordinated (UTC) equivalent of the time at which the server
generated the log. If the log was generated on an endpoint, this field identifies
the time the server received the log. ISO-8601 string representation (for
example, 2017-01-24T09:08:59Z).

facility The Traps system component that initiated the event, for example:
TrapsAgent, TrapsServiceCore, TrapsServiceManagement,
TrapsServiceBackend.

customerId The ID that uniquely identifies the Logging Service instance which received
this log record.

trapsId Tenant external ID.

serverHost Hostname of the Traps management service.

serverComponentVersion Software version of the Traps management service.

regionId ID of the Traps management service region. Values are:


• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an endpoint.


• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Traps agent.

severity Syslog severity level associated with the event.

130 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Field Name Description
• 0—Critical
• 1—Error
• 2—Warning
• 3—Notice
• 4—Info
Each event also has an associated Traps severity. See the
messageData.trapsSeverity field for details.

trapsSeverity Severity level associated with the event defined for the Traps management
service. Each of these severities correspond to a syslog severity level:
• 0—Critical. Identical to the syslog 0 (Critical) severity level.
• 1—High. Corresponds to the syslog 1 (Error) severity level.
• 2—Medium. Corresponds to the syslog 2 (Warning) severity level.
• 3—Low. Corresponds to the syslog 3 (Notice) severity level.
• 4—Informational. Corresponds to the syslog 4 (Info) severity level.
• 5—Configuration. Corresponds to the syslog 4 (Info) severity level.
See also the severity log field.

messageCode System-wide unique message code.

friendlyName Descriptive log message name.

msgTextEn Description of the event, in English.

userFullName Full name of the user logged in to the endpoint.

userName Email address associated with the logged on user.

Analytics Logs
Format: recordType, class, eventType, eventCategory, generatedTime, serverTime, agentTime, tzOffset,
FUTURE_USE, facility, customerId, trapsId, , serverHost, serverComponentVersion, regionId, isEndpoint,
agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion,
contentVersion, , protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize,
localAnalysisResult, reported, blocked, executionCount

Field Name Description

recordType Record type associated with the event which you can use when managing
logging quotas. Values are:
• config—Traps management service administration and configuration
changes.
• system—Automated system management and agent reporting events.
• analytics—Hourly hash execution report from the agent.
• threats—Security events that occur on the endpoints.

class Class of the Traps management service log; Values are: config, policy, system,
agent_log.

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 131
© 2018 Palo Alto Networks, Inc.
Field Name Description

eventType Subtype of event.

eventCategory Category of event, used internally for processing the flow of logs. Event
categories vary by class:
• config—deviceManagement, distributionManagement,
securityEventManagement, systemManagement
• policy—exceptionManagement, policyManagement, profileManagement
• system—licensing, provisioning, userAuthentication, workerProcessing
• agent_log—agentFlow

generatedTime Universal Time Coordinated (UTC) equivalent of the time at which an event
was logged. For agent events, this represents the time on the endpoint. For
policy, configuration, and system events, this represents the time on the
Traps management service. ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Universal Time Coordinated (UTC) equivalent of the time at which the server
generated the log. If the log was generated on an endpoint, this field identifies
the time the server received the log. ISO-8601 string representation (for
example, 2017-01-24T09:08:59Z).

agentTime Universal Time Coordinated (UTC) equivalent of the time at which an agent
logged an event. ISO-8601 string representation.

tzOffset Effective endpoint time zone offset from UTC, in minutes.

facility The Traps system component that initiated the event, for example:
TrapsAgent, TrapsServiceCore, TrapsServiceManagement,
TrapsServiceBackend.

customerId The ID that uniquely identifies the Logging Service instance which received
this log record.

trapsId Tenant external ID.

serverHost Hostname of the Traps management service.

serverComponentVersion Software version of the Traps management service.

regionId ID of the Traps management service region. Values are:


• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an endpoint.


• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Traps agent.

osType Operating system of the endpoint:

132 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs
© 2018 Palo Alto Networks, Inc.
Field Name Description
• 1—Windows
• 2—OS X/macOS
• 3—Android
• 4—Linux

isVdi Indicates whether the endpoint is a virtual desktop infrastructure (VDI):


• 0—The endpoint is not a VDI
• 1—The endpoint is a VDI

osVersion Full version number of the operating system running on the endpoint. For
example, 6.1.7601.19135.

is64 Indicates whether the endpoint is running a 64-bit version of Windows:


• 0—The endpoint is not running x64 architecture
• 1—The endpoint is running x64 architecture

agentIp IP address of the endpoint.

deviceName Hostname of the endpoint on which the event was logged.

deviceDomain Domain to which the endpoint belongs.

severity Syslog severity level associated with the event.


• 0—Critical
• 1—Error
• 2—Warning
• 3—Notice
• 4—Info
Each event also has an associated Traps severity. See the
messageData.trapsSeverity field for details.

agentVersion Version of the Traps agent.

contentVersion Content version in the local security policy.

protectionStatus Traps agent protection status:


• 0—Protected
• 1—OsVersionIncompatible
• 2—AgentIncompatible

sha256 Hash of the file using SHA256 encoding.

type Type of file; Values are:


• 0—Unknown
• 1—PE
• 2—Mach-o
• 3—DLL

TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs 133
© 2018 Palo Alto Networks, Inc.
Field Name Description
• 4—Office file (containing a macro)

parentSha256 Hash of the parent file using SHA256 encoding.

lastSeen Universal Time Coordinated (UTC) equivalent of the time when the file
last ran on an endpoint. ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

fileName File name, without the path or the file type extension.

filePath Full path, aligned to the OS format.

fileSize Size of the file in bytes.

localAnalysisResult This object includes the content version, local analysis module version, verdict
result, file signer, and trusted signer result. The trusted signer result is an
integer value:
• 0—Traps did not evaluate the signer of the file.
• 1—The signer is trusted.
• 2—The signer is not trusted.

reported Reporting status of the file, in integer value:


• 0—Traps did not report the security event.
• 1—Traps reported the security event.

blocked Blocking status of the file, in integer value:


• 0—Traps did not block the process or file.
• 1—Traps blocked the process or file.

executionCount The total number of times a file identified by a specific hash was executed.

134 TRAPS MANAGEMENT SERVICE ADMINISTRATOR’S GUIDE | View and Manage Logs