Assess Security Events

The Traps management service ranks all events in order of severity so you can quickly and easily see the most important events when you log in to the Traps management service. You can then drill down into the security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases you may determine that a security event does not pose a real threat and can create an exception for it. Use the following workflow to drill down into a security event and assess whether it poses a security threat.
  1. From the Traps management service, select Security Events.
    tms-security-events.png
  2. Filter the security events.
    The Traps management service displays the filters you can use at the top of the Security Events page. When you supply more than one filter, the Traps management service displays only security events that match all the specified criteria.
    Filters that accept text do not accept wildcards and are case insensitive.
    • By severity—The Traps management service indicates the total number of threats for each severity (high, medium, and low) with quick links you can use to filter security events by severity. You can also use the Severity drop-down at the top of the page to filter by one or more severities.
    • By time—Select the Timeframe for which you would like to filter security events: Last 24 hours, Last 7 days, Last 30 days, or Last 3 Months.
    • By status—Select the Status for which you would like to filter security events. You can define or change the status for each event when you view additional details about the event.
    • By platform—Select the Platform to filter by operating system.
    • By endpoint name or ID—Enter a full or partial Endpoint Name in the Search field.
      If the name of the endpoint changes, the Traps management service automatically updates the name associated with the security event to use the new name, but preserves the original endpoint name in the details view of the event. To search for events for a renamed endpoint, use the current endpoint name as match criteria.
      To instead search for an endpoint by its unique endpoint ID, select Endpoint ID instead of Endpoint Name and enter the full ID value. You can identify the endpoint ID—which is assigned by the Traps agent—in the details view for an endpoint on the Traps management service (for more information, see View Details About an Endpoint ).
    • By username—Enter a full or partial Username to filter security events that occurred when a user was logged into one or more endpoints. You can also include the user domain in the format domain\username to filter security events for a user that belongs to a specific domain.
  3. To drill down into additional Security Event Details , select the Event name.
    This detailed view provides context around the event and provides information you can use to help you assess whether the security event is a valid threat.
  4. While you are investigating a security event, consider changing the event STATUS to Investigating (click the
    edit-icon-security-event.png
    icon and select Investigating from the drop-down).
    tms-security-event-status.png
    After you set the status, you can easily filter the Security Events dashboard by the events you are currently assessing.
  5. If the threat violated a Malware policy rule, you can also view information about the hash and the associated WildFire Analysis Report to learn about the malicious behavior WildFire observed.
    You can then use this information to help you remediate the malware on your endpoints to prevent it from propagating. If you disagree with a WildFire verdict, you can submit a report describing why you believe the verdict is incorrect to Palo Alto Networks. For more information, see Review WildFire Analysis Details .
  6. Retrieve data from the endpoint.
    1. From the details view of a security event, select Retrieve Data.
      tms-security-event-retrieve-data.png
    2. Confirm the action to Retrieve data.
      The Traps management service displays the status of the data retrieval request in the Details of the security event.
      tms-security-event-data-retrieval-status.png
      You can also go to the LogsData Retrieval page to view all data collected from Traps agents. See Data Retrieval Logs .
    3. After the Traps agent uploads the data to the Traps management service, you can download it to further assess and understand the activity associated with the event.
      To view additional details about an endpoint including the policy applied on the endpoint, see Manage Registered Endpoints .
  7. To help track your progress as you analyze a security event:
    1. Enter or view comments for the event: Select Comments, then enter and submit the comment.
    2. View the change history for a security event: Select History.
  8. (Optional) If after reviewing the details about a security event, you want to grant an exception to the security policy that triggered the event, Create a Policy Exception .
    To configure an exception for an event triggered by your exploit policy, configure a Process Exception. To configure an exception for an event triggered by your malware policy, configure a Hash Exception. Exceptions are not available for restriction policy rules.
  9. After you complete your investigation, change the STATUS of the security event to Closed to indicate to other administrators that no additional assessment is required. You can also optionally archive the event:
    1. From the Security Events dashboard, select the events you want to archive.
      The Traps management service displays a menu of actions to manage the event.
      tms-security-events-action-menu.png
    2. Select the option to archive selected security events.
    3. Review the warning message and confirm you want to Archive the events.
      The Traps management service removes the security event from the Security Events dashboard.

Related Documentation