Assess Security Events
The Traps management service ranks all events in order of severity so you can quickly and easily see the most important events when you log in to the Traps management service. You can then drill down into the security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases you may determine that a security event does not pose a real threat and can create an exception for it. Use the following workflow to drill down into a security event and assess whether it poses a security threat.
- From the Traps management service, select Security Events.
- Filter the security events.The Traps management service displays the filters you can use at the top of the Security Events page. When you supply more than one filter, the Traps management service displays only security events that match all the specified criteria.Filters that accept text do not accept wildcards and are case insensitive.
- By time—Select the Timeframe for which you would like to filter security events: Last 24 hours, Last 7 days, Last 30 days, or Last 3 Months.
- By status—Select the Status for which you would like to filter security events. You can define or change the status for each event when you view additional details about the event.
- By severity—The Traps management service indicates the total number of threats for each severity (high, medium, and low) with quick links you can use to filter security events by severity. You can also use the Severity drop-down at the top of the page to filter by one or more severities.
- By platform—Select the Platform to filter by operating system.
- By username—Enter a full or partial User to filter security events that occurred when a user was logged into one or more endpoints. You can also include the user domain in the format domain\username to filter security events for a user that belongs to a specific domain.
- By endpoint name or ID—Enter a complete or partial Endpoint Name in the Search field.If the name of the endpoint changes, the Traps management service automatically updates the name associated with the security event to use the new name, but preserves the original endpoint name in the details view of the event. To search for events for a renamed endpoint, use the current endpoint name as match criteria.To instead search for an endpoint by its unique endpoint ID, select Endpoint ID instead of Endpoint Name and enter the complete ID value. You can identify the endpoint ID—which is assigned by the Traps management service—in the details view for an endpoint (for more information, see View Details About an Endpoint ).
- By process or file name—Enter a full or partial Process/File Name to filter security events for a specific file.
- By event ID—Enter a complete Event ID to filter security events for the unique ID issued to each security event.
- To drill down into additional Security
, select the Event name.This detailed view provides context around the event and provides information you can use to help you assess whether the security event is a valid threat.
- While you are investigating a security event, consider
changing the event STATUS to Investigating (click
icon and select Investigating from
the drop-down).To set the status for multiple events in bulk, select the security events in the table view, select the change status icon from the action menu that appears at the top of the security events table, and then choose the desired status.After you set the status for one or more security events, you can easily filter the Security Events dashboard by the events you are currently assessing.
- If the threat violated a Malware policy rule, you can
also view information about the hash and the associated WildFire
Analysis Report to learn about the malicious behavior WildFire observed. You can then use this information to help you remediate the malware on your endpoints to prevent it from propagating. If you disagree with a WildFire verdict, you can submit a report describing why you believe the verdict is incorrect to Palo Alto Networks. For more information, see Review WildFire Analysis Details .
- Retrieve data from the endpoint.
- From the details view of a security event, select Retrieve Data.
- Confirm the action to Retrieve data.The Traps management service displays the status of the data retrieval request in the Details of the security event.You can also go to the LogsData Retrieval page to view all data collected from Traps agents. See Data Retrieval Logs .
- After the Traps agent uploads the data to the Traps
management service, you can download it to further assess and understand
the activity associated with the event.To view additional details about an endpoint including the policy applied on the endpoint, see Manage Registered Endpoints .
- To help track your progress as you analyze a security
- Enter or view comments for the event: Select Comments, then enter and submit the comment.
- View the change history for a security event: Select History.
- (Optional) If after reviewing the details about
a security event, you want to grant an exception to the security
policy that triggered the event, Create
a Policy Exception
.To configure an exception for an event triggered by your exploit policy, configure a Process Exception. To configure an exception for an event triggered by your malware policy, configure a Hash Exception. Exceptions are not available for restriction policy rules.
- After you complete your investigation, change the STATUS of
the security events to Closed to indicate
to other administrators that no additional assessment is required. The Traps management service filters out closed events from the default view of the Security Events page. To include closed events in results, select the Status: Closed search filter.