Palo Alto Networks Traps

Use the Palo Alto Networks Traps integration to initiate scans, retrieve files from events, isolate endpoints, quarantine files, and manage the whitelist and blacklist.

Traps Playbooks

  • Traps Retrieve And Download Files
  • Traps Scan Endpoint

Get Your API Key and Application ID

You will need to provide the API key and Application ID when configuring an instance of the Traps integration in Demisto.

NOTE : This procedure requires Super User privileges.

  1. Access your Traps TMS UI.
  2. Click the settings button and select API Keys .
  3. To create new API Key click the Add button.
  4. Copy and save the entire text of your API key as you will not be able to access it again, and the Application ID.

Configure Traps on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Traps.
  3. Click Add instance to create and configure a new integration instance.
    • Name
    • Fetch incidents
    • Server URL
    • Application ID
    • Private Key
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get endpoint details: traps-get-endpoint-by-id
  2. Execute a file retrieve operation / SAM on an agent: traps-endpoint-files-retrieve
  3. Scan an endpoint: traps-endpoint-scan
  4. Modify details for an event: traps-event-update
  5. Modify details for multiple events: traps-event-bulk-update-status
  6. Add a file hash to the blacklist: traps-hash-blacklist
  7. Remove a file hash from the blacklist: traps-hash-blacklist-remove
  8. Return a file hash to the blacklist: traps-hashes-blacklist-status
  9. Quarantine an event: traps-event-quarantine
  10. Isolate an endpoint: traps-endpoint-isolate
  11. Get the result of a quarantine operation: traps-event-quarantine-result
  12. Get the result of an isolate operation: traps-endpoint-isolate-status
  13. Get the results of an endpoint file retrieve operation: traps-endpoint-files-retrieve-result
  14. Get the results of an endpoint scan operation: traps-endpoint-scan-result

1. Get endpoint details


Returns details for the specified endpoint.

Base Command

traps-get-endpoint-by-id

Input
Argument Name Description Required
endpoint_id Endpoint ID. Required

Context Output
Path Type Description
Traps.Endpoint.ID String The ID of the endpoint.
Traps.Endpoint.Name String The name of the endpoint.
Traps.Endpoint.Domain date The domain of the endpoint.
Traps.Endpoint.Platform String The OS of the endpoint.
Traps.Endpoint.Status String The status of the endpoint.
Traps.Endpoint.IP String The IP address of the endpoint.
Traps.Endpoint.ComputerSid String The computer SID.
Traps.Endpoint.IsCompromised String Whether the endpoint is compromised.
Traps.Endpoint.OsVersion String The version of the OS on the endpoint.
Traps.Endpoint.OsProductType String The OS type of the endpoint.
Traps.Endpoint.OsProductName String The name of the OS on the endpoint.
Traps.Endpoint.Is64 String The bitness of the OS on the endpoint.
Traps.Endpoint.LastSeen String The date/time of the last active ping.
Traps.Endpoint.LastUser String The last active user on the machine.

Command Example
!traps-get-endpoint-by-id endpoint_id="d3339851f18f470182bf2bf98ad5db4b"
Context Example
{
    "Traps.Endpoint": {
        "ComputerSid": "S-1-5-21-202186053-2642234773-3690463397",
        "Domain": "WORKGROUP",
        "ID": "d3339851f18f470182bf2bf98ad5db4b",
        "IP": "172.31.33.227",
        "Is64": true,
        "IsCompromised": false,
        "LastSeen": "2019-10-03T09:06:40.000Z",
        "LastUser": "Administrator",
        "Name": "EC2AMAZ-8IEUJEN",
        "OsProductName": "",
        "OsProductType": "server",
        "OsVersion": "10.0.14393",
        "Platform": "windows",
        "Status": "active"
    }
}
Human Readable Output

Endpoint d3339851f18f470182bf2bf98ad5db4b data:

Computer Sid Domain ID IP Is 64 Is Compromised Last Seen Last User Name Os Product Name Os Product Type Os Version Platform Status
S-1-5-21-202186053-2642234773-3690463397 WORKGROUP d3339851f18f470182bf2bf98ad5db4b 172.31.33.227 true false 2019-10-03T09:06:40.000Z Administrator EC2AMAZ-8IEUJEN server 10.0.14393 windows active

2. Execute a file retrieve operation / SAM on an agent


Executes a file retrieve operation / SAM on the specified agent.

Base Command

traps-endpoint-files-retrieve

Input
Argument Name Description Required
endpoint_id The ID of the endpoint. Required
file_name The name of the file to retrieve (including path). Required
event_id The ID of the event. Required

Context Output
Path Type Description
Traps.FileRetrieve.EndpointID String The ID of the endpoint.
Traps.FileRetrieve.OperationID String The ID of the operation.
Traps.FileRetrieve.Type String The type of operation.

Command Example
!traps-endpoint-files-retrieve endpoint_id="d3339851f18f470182bf2bf98ad5db4b" file_name="C:\\Program Files
        (x86)\\Notepad++\\notepad++.exe" event_id="1cfb8fac7b504dc9894eabb9eb33de73"
Context Example
{
    "Traps.FileRetrieve": {
        "EndpointID": "d3339851f18f470182bf2bf98ad5db4b",
        "OperationID": "3f7d6e86e5bd11e9acbf0245d8e950da",
        "Type": "files-retrieve"
    }
}
Human Readable Output

Files retrieve command on endpoint: d3339851f18f470182bf2bf98ad5db4b received

Endpoint ID Operation ID Type
d3339851f18f470182bf2bf98ad5db4b 3f7d6e86e5bd11e9acbf0245d8e950da files-retrieve

3. Scan an endpoint


Performs a scan operation on the specified endpoint.

Base Command

traps-endpoint-scan

Input
Argument Name Description Required
endpoint_id The ID of the endpoint. Required

Context Output
Path Type Description
Traps.Scan.EndpointID String The ID of the endpoint.
Traps.Scan.OperationID String The ID of the operation.
Traps.Scan.Type String The type of operation.

Command Example
!traps-endpoint-scan endpoint_id="d3339851f18f470182bf2bf98ad5db4b"
Context Example
{
    "Traps.Scan": {
        "EndpointID": "d3339851f18f470182bf2bf98ad5db4b",
        "OperationID": "404d5231e5bd11e9acbf0245d8e950da",
        "Type": "endpoint-scan"
    }
}
Human Readable Output

Scan command on endpoint: d3339851f18f470182bf2bf98ad5db4b received

Endpoint ID Operation ID Type
d3339851f18f470182bf2bf98ad5db4b 404d5231e5bd11e9acbf0245d8e950da endpoint-scan

4. Modify details for an event


Modifies the status and adds a comment to an existing event.

Base Command

traps-event-update

Input
Argument Name Description Required
event_id The ID of the event to modify. Required
status The new status for the event. Optional
comment A comment for the event. Optional

Context Output

There are no context output for this command.

Command Example
!traps-event-update event_id="53edb3fa9a3b4b83bcf168390a2ec08d" status="new"
Human Readable Output

Event: 53edb3fa9a3b4b83bcf168390a2ec08d was updated

New status: new

5. Modify details for multiple events


Modifies the status of multiple events.

Base Command

traps-event-bulk-update-status

Input
Argument Name Description Required
event_ids A comma-separated list of IDs for events to modify. Required
status The new status for the event. Required

Context Output

There are no context output for this command.

Command Example
!traps-event-bulk-update-status event_ids="df4e60a62515482f98c8ef37e74363df,cfe4d15aca924bfcb7d2fc629b696bdd"
        status="new"
Context Example
{}
Human Readable Output

Successfully updated

**No entries.**

Failed to update

**No entries.**

Ignored

Event ID
cfe4d15aca924bfcb7d2fc629b696bdd
df4e60a62515482f98c8ef37e74363df

6. Add a file hash to the blacklist


Adds the specified file hash to the blacklist.

Base Command

traps-hash-blacklist

Input
Argument Name Description Required
hash_id The SHA256 hash to add to the blacklist. Required

Context Output
Path Type Description
Traps.File.BlacklistStatus String The status of the file hash ("blacklisted" or "none").
Traps.File.SHA256 String The SHA256 hash of the file.

Command Example

!traps-hash-blacklist hash_id="1111111111111111111111111111111111111111111111111111111111111111"

Context Example
{
    "Traps.File": {
        "BlacklistStatus": "blacklisted",
        "SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
    }
}
Human Readable Output

Successfully blacklisted: 1111111111111111111111111111111111111111111111111111111111111111

7. Remove a file hash from the blacklist


Removes the specified file hash from the blacklist.

Base Command

traps-hash-blacklist-remove

Input
Argument Name Description Required
hash_id The SHA256 hash to remove from the blacklist. Required

Context Output
Path Type Description
Traps.File.BlacklistStatus String The status of the file hash ("blacklisted" or "none").
Traps.File.SHA256 String The SHA256 hash of the file.

Command Example
!traps-hash-blacklist-remove
        hash_id="1111111111111111111111111111111111111111111111111111111111111111"
Context Example
{
    "Traps.File": {
        "BlacklistStatus": "none",
        "SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
    }
}
Human Readable Output

Successfully removed 1111111111111111111111111111111111111111111111111111111111111111 from blacklist

8. Return a file hash to the blacklist


Returns the blacklist status of the specified file hashes.

Base Command

traps-hashes-blacklist-status

Input
Argument Name Description Required
hash_ids A comma-separated list of SHA256 file hashes for which to return the blacklist status. Required

Context Output
Path Type Description
Traps.File.BlacklistStatus String The blacklist status of the file hash. Can be "blacklisted" or "none".
Traps.File.SHA256 String The SHA256 hash of the file.

Command Example
!traps-hashes-blacklist-status
        hash_ids="5616ff15b3f5df4e18d28771ccdae19173873009f2318761aa9f9e573b9d9acc,360b12ccfa33c6d2021bf34162b111ffc2f5939b0524b2e045cd682d93318d69"
Context Example
{
    "Traps.File": [
        {
            "BlacklistStatus": "blacklisted",
            "SHA256": "360b12ccfa33c6d2021bf34162b111ffc2f5939b0524b2e045cd682d93318d69"
        },
        {
            "BlacklistStatus": "none",
            "SHA256": "5616ff15b3f5df4e18d28771ccdae19173873009f2318761aa9f9e573b9d9acc"
        }
    ]
}
Human Readable Output

Hashes status:

Blacklist Status SHA256
blacklisted 360b12ccfa33c6d2021bf34162b111ffc2f5939b0524b2e045cd682d93318d69
none 5616ff15b3f5df4e18d28771ccdae19173873009f2318761aa9f9e573b9d9acc

9. Quarantine an event


Creates a quarantine entry for the specified event.

Base Command

traps-event-quarantine

Input
Argument Name Description Required
event_id The ID of the event for which to create a quarantine entry.. Required

Context Output
Path Type Description
Traps.Quarantine.EventID String The ID of the event.
Traps.Quarantine.OperationID String The ID of the operation.
Traps.Quarantine.Type String The type of operation.

Command Example
!traps-event-quarantine event_id="19903a443a47441a86c92c3aea5abb30"
Context Example
{
    "Traps.Quarantine": [
        {
            "EventID": "19903a443a47441a86c92c3aea5abb30",
            "OperationID": "42185783e5bd11e9acbf0245d8e950da",
            "Type": "event-quarantine"
        }
    ]
}
Human Readable Output

Quarantine command on event: 19903a443a47441a86c92c3aea5abb30 received

Event ID Operation ID Type
19903a443a47441a86c92c3aea5abb30 42185783e5bd11e9acbf0245d8e950da event-quarantine

10. Isolate an endpoint


Isolates the specified endpoint.

Base Command

traps-endpoint-isolate

Input
Argument Name Description Required
endpoint_id The ID of the endpoint to isolate. Required

Context Output
Path Type Description
Traps.Isolate.EndpointID String The ID of the endpoint.
Traps.Isolate.OperationID String The ID of the operation.
Traps.Isolate.Type String The type of operation.

Command Example
!traps-endpoint-isolate endpoint_id=d3339851f18f470182bf2bf98ad5db4b
Context Example
{
    "Traps.Isolate": {
        "EndpointID": "d3339851f18f470182bf2bf98ad5db4b",
        "OperationID": "4278ac6ce5bd11e9acbf0245d8e950da",
        "Type": "endpoint-isolate"
    }
}
Human Readable Output

Isolate command on endpoint d3339851f18f470182bf2bf98ad5db4b received

Endpoint ID Operation ID Type
d3339851f18f470182bf2bf98ad5db4b 4278ac6ce5bd11e9acbf0245d8e950da endpoint-isolate

11. Get the result of a quarantine operation


Returns the result of the specified quarantine operation.

Base Command

traps-event-quarantine-result

Input
Argument Name Description Required
operation_id The ID of the operation for which to get the result of the quarantine operation. Required

Context Output
Path Type Description
Traps.QuarantineResult.SHA256 String The SHA256 hash of the file.
Traps.QuarantineResult.FilePath String The file path on the endpoint.
Traps.QuarantineResult.OperationID String The ID of the operation.
Traps.QuarantineResult.Status String The status of the quarantine operation.

Command Example
!traps-event-quarantine-result operation_id="e092afa2e08511e9acbf0245d8e950da"
Context Example
{
    "Traps.QuarantineResult": {
        "FilePath": "C:\\Users\\Administrator\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\f_000013",
        "OperationID": "e092afa2e08511e9acbf0245d8e950da",
        "SHA256": "2f937ee2fd10a6ea58faca31ab455d18e29ded5d88b4a6f8cc29127a23232e45",
        "Status": "finished"
    }
}
Human Readable Output

Status of quarantine operation: e092afa2e08511e9acbf0245d8e950da

File Path Operation ID SHA256 Status
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 e092afa2e08511e9acbf0245d8e950da 2f937ee2fd10a6ea58faca31ab455d18e29ded5d88b4a6f8cc29127a23232e45 finished

12. Get the result of an isolate operation


Returns the status of the specified endpoint isolate operation.

Base Command

traps-endpoint-isolate-status

Input
Argument Name Description Required
operation_id The ID of the operation. Required

Context Output
Path Type Description
Traps.IsolateResult.OperationID String Operation ID. Use this to retrieve status / results.
Traps.IsolateResult.Status String The status of the isolation operation.

Command Example
!traps-endpoint-isolate-status operation_id=d4abbbc4e5ba11e9acbf0245d8e950da
Context Example
{
    "Traps.IsolateResult": {
        "OperationID": "d4abbbc4e5ba11e9acbf0245d8e950da",
        "Status": "finished"
    }
}
Human Readable Output

Isolate status is: finished

13. Get the results of an endpoint file retrieve operation


Returns the result of the endpoint file retrieve operation.

Base Command

traps-endpoint-files-retrieve-result

Input
Argument Name Description Required
operation_id The ID of the operation. Required

Context Output

There are no context output for this command.

Command Example
!traps-endpoint-files-retrieve-result operation_id="d129d313e5ba11e9acbf0245d8e950da"
Context Example
{
    "Traps.FileRetrieveResult": {
        "OperationID": "d129d313e5ba11e9acbf0245d8e950da",
        "Status": "finished"
    }
}
Human Readable Output

File retrieval status is: finished

14. Get the results of an endpoint scan operation


Returns the results of an endpoint scan operation.

Base Command

traps-endpoint-scan-result

Input
Argument Name Description Required
operation_id The ID of the operation. Required

Context Output
Path Type Description
Traps.ScanResult.FileScanned Number The number of scanned files.
Traps.ScanResult.FilesFailed Number The number of files that were not scanned.
Traps.ScanResult.MalwareFound Number The number of detected malware.
Traps.ScanResult.OperationID String The ID of the operation.
Traps.ScanResult.Status String The status of the scan.

Command Example
!traps-endpoint-scan-result operation_id="d270d8bce5ba11e9acbf0245d8e950da"
Context Example
{
    "Traps.ScanResult": {
        "FileScanned": 57295,
        "FilesFailed": 0,
        "MalwareFound": 1,
        "OperationID": "d270d8bce5ba11e9acbf0245d8e950da",
        "Status": "error"
    }
}
Human Readable Output

Status of scan operation: d270d8bce5ba11e9acbf0245d8e950da

File Scanned Files Failed Malware Found Operation ID Status
57295 0 1 d270d8bce5ba11e9acbf0245d8e950da error