Palo Alto Networks Traps (Deprecated)

This Integration is part of the Palo Alto Networks Traps (Deprecated) Pack.

Deprecated

Use CortexXDR instead.

Deprecated. Use CortexXDR instead. Use the Palo Alto Networks Traps integration to initiate scans, retrieve files from events, isolate endpoints, quarantine files, and manage the allow list and block list.

Traps Playbooks

• Traps Retrieve And Download Files
• Traps Scan Endpoint

Get Your API Key and Application ID

You will need to provide the API key and Application ID when configuring an instance of the Traps integration in Cortex XSOAR.

NOTE : This procedure requires Super User privileges.

1. Access your Traps TMS UI.
2. Click the settings button and select API Keys .
3. To create new API Key click the Add button.
4. Copy and save the entire text of your API key as you will not be able to access it again, and the Application ID.

Configure Traps on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services .
2. Search for Traps.
3. Click Add instance to create and configure a new integration instance.
   • Name
   • Fetch incidents
   • Server URL
   • Application ID
   • Private Key
   • Trust any certificate (not secure)
   • Use system proxy settings
4. Click Test to validate the new instance.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get endpoint details: traps-get-endpoint-by-id
2. Execute a file retrieve operation / SAM on an agent: traps-endpoint-files-retrieve
3. Scan an endpoint: traps-endpoint-scan
4. Modify details for an event: traps-event-update
5. Modify details for multiple events: traps-event-bulk-update-status
6. Add a file hash to the block list: traps-hash-blacklist
7. Remove a file hash from the block list: traps-hash-blacklist-remove
8. Return a file hash to the block list: traps-hashes-blacklist-status
9. Quarantine an event: traps-event-quarantine
10. Isolate an endpoint: traps-endpoint-isolate
11. Get the result of a quarantine operation: traps-event-quarantine-result
12. Get the result of an isolate operation: traps-endpoint-isolate-status
13. Get the results of an endpoint file retrieve operation: traps-endpoint-files-retrieve-result
14. Get the results of an endpoint scan operation: traps-endpoint-scan-result

1. Get endpoint details

---

Returns details for the specified endpoint.

Base Command

traps-get-endpoint-by-id

Input

Argument Name	Description	Required
endpoint_id	Endpoint ID.	Required

Context Output

Path	Type	Description
Traps.Endpoint.ID	String	The ID of the endpoint.
Traps.Endpoint.Name	String	The name of the endpoint.
Traps.Endpoint.Domain	date	The domain of the endpoint.
Traps.Endpoint.Platform	String	The OS of the endpoint.
Traps.Endpoint.Status	String	The status of the endpoint.
Traps.Endpoint.IP	String	The IP address of the endpoint.
Traps.Endpoint.ComputerSid	String	The computer SID.
Traps.Endpoint.IsCompromised	String	Whether the endpoint is compromised.
Traps.Endpoint.OsVersion	String	The version of the OS on the endpoint.
Traps.Endpoint.OsProductType	String	The OS type of the endpoint.
Traps.Endpoint.OsProductName	String	The name of the OS on the endpoint.
Traps.Endpoint.Is64	String	The bitness of the OS on the endpoint.
Traps.Endpoint.LastSeen	String	The date/time of the last active ping.
Traps.Endpoint.LastUser	String	The last active user on the machine.

Command Example

!traps-get-endpoint-by-id endpoint_id="d3339851f18f470182bf2bf98ad5db4b"

Context Example

{
    "Traps.Endpoint": {
        "ComputerSid": "S-1-5-21-202186053-2642234773-3690463397",
        "Domain": "WORKGROUP",
        "ID": "d3339851f18f470182bf2bf98ad5db4b",
        "IP": "172.31.33.227",
        "Is64": true,
        "IsCompromised": false,
        "LastSeen": "2019-10-03T09:06:40.000Z",
        "LastUser": "Administrator",
        "Name": "EC2AMAZ-8IEUJEN",
        "OsProductName": "",
        "OsProductType": "server",
        "OsVersion": "10.0.14393",
        "Platform": "windows",
        "Status": "active"
    }
}

Human Readable Output

Endpoint d3339851f18f470182bf2bf98ad5db4b data:

Computer Sid	Domain	ID	IP	Is 64	Is Compromised	Last Seen	Last User	Name	Os Product Name	Os Product Type	Os Version	Platform	Status
S-1-5-21-202186053-2642234773-3690463397	WORKGROUP	d3339851f18f470182bf2bf98ad5db4b	172.31.33.227	true	false	2019-10-03T09:06:40.000Z	Administrator	EC2AMAZ-8IEUJEN		server	10.0.14393	windows	active

2. Execute a file retrieve operation / SAM on an agent

---

Executes a file retrieve operation / SAM on the specified agent.

Base Command

traps-endpoint-files-retrieve

Input

Argument Name	Description	Required
endpoint_id	The ID of the endpoint.	Required
file_name	The name of the file to retrieve (including path).	Required
event_id	The ID of the event.	Required

Context Output

Path	Type	Description
Traps.FileRetrieve.EndpointID	String	The ID of the endpoint.
Traps.FileRetrieve.OperationID	String	The ID of the operation.
Traps.FileRetrieve.Type	String	The type of operation.

Command Example

!traps-endpoint-files-retrieve endpoint_id="d3339851f18f470182bf2bf98ad5db4b" file_name="C:\\Program Files
        (x86)\\Notepad++\\notepad++.exe" event_id="1cfb8fac7b504dc9894eabb9eb33de73"

Context Example

{
    "Traps.FileRetrieve": {
        "EndpointID": "d3339851f18f470182bf2bf98ad5db4b",
        "OperationID": "3f7d6e86e5bd11e9acbf0245d8e950da",
        "Type": "files-retrieve"
    }
}

Human Readable Output

Files retrieve command on endpoint: d3339851f18f470182bf2bf98ad5db4b received

Endpoint ID	Operation ID	Type
d3339851f18f470182bf2bf98ad5db4b	3f7d6e86e5bd11e9acbf0245d8e950da	files-retrieve

3. Scan an endpoint

---

Performs a scan operation on the specified endpoint.

Base Command

traps-endpoint-scan

Input

Argument Name	Description	Required
endpoint_id	The ID of the endpoint.	Required

Context Output

Path	Type	Description
Traps.Scan.EndpointID	String	The ID of the endpoint.
Traps.Scan.OperationID	String	The ID of the operation.
Traps.Scan.Type	String	The type of operation.

Command Example

!traps-endpoint-scan endpoint_id="d3339851f18f470182bf2bf98ad5db4b"

Context Example

{
    "Traps.Scan": {
        "EndpointID": "d3339851f18f470182bf2bf98ad5db4b",
        "OperationID": "404d5231e5bd11e9acbf0245d8e950da",
        "Type": "endpoint-scan"
    }
}

Human Readable Output

Scan command on endpoint: d3339851f18f470182bf2bf98ad5db4b received

Endpoint ID	Operation ID	Type
d3339851f18f470182bf2bf98ad5db4b	404d5231e5bd11e9acbf0245d8e950da	endpoint-scan

4. Modify details for an event

---

Modifies the status and adds a comment to an existing event.

Base Command

traps-event-update

Input

Argument Name	Description	Required
event_id	The ID of the event to modify.	Required
status	The new status for the event.	Optional
comment	A comment for the event.	Optional

Context Output

There are no context output for this command.

Command Example

!traps-event-update event_id="53edb3fa9a3b4b83bcf168390a2ec08d" status="new"

Human Readable Output

Event: 53edb3fa9a3b4b83bcf168390a2ec08d was updated

New status: new

5. Modify details for multiple events

---

Modifies the status of multiple events.

Base Command

traps-event-bulk-update-status

Input

Argument Name	Description	Required
event_ids	A comma-separated list of IDs for events to modify.	Required
status	The new status for the event.	Required

Context Output

There are no context output for this command.

Command Example

!traps-event-bulk-update-status event_ids="df4e60a62515482f98c8ef37e74363df,cfe4d15aca924bfcb7d2fc629b696bdd"
        status="new"

Context Example

{}

Human Readable Output

Successfully updated

**No entries.**

Failed to update

**No entries.**

Ignored

Event ID
cfe4d15aca924bfcb7d2fc629b696bdd
df4e60a62515482f98c8ef37e74363df

6. Add a file hash to the block list

---

Adds the specified file hash to the block list.

Base Command

traps-hash-blacklist

Input

Argument Name	Description	Required
hash_id	The SHA256 hash to add to the block list.	Required

Context Output

Path	Type	Description
Traps.File.BlacklistStatus	String	The status of the file hash ("blacklisted" or "none").
Traps.File.SHA256	String	The SHA256 hash of the file.

Command Example

!traps-hash-blacklist hash_id="1111111111111111111111111111111111111111111111111111111111111111"

Context Example

{
    "Traps.File": {
        "BlacklistStatus": "blacklisted",
        "SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
    }
}

Human Readable Output

Successfully blacklisted: 1111111111111111111111111111111111111111111111111111111111111111

7. Remove a file hash from the block list

---

Removes the specified file hash from the block list.

Base Command

traps-hash-blacklist-remove

Input

Argument Name	Description	Required
hash_id	The SHA256 hash to remove from the block list.	Required

Context Output

Path	Type	Description
Traps.File.BlacklistStatus	String	The status of the file hash ("blacklisted" or "none").
Traps.File.SHA256	String	The SHA256 hash of the file.

Command Example

!traps-hash-blacklist-remove
        hash_id="1111111111111111111111111111111111111111111111111111111111111111"

Context Example

{
    "Traps.File": {
        "BlacklistStatus": "none",
        "SHA256": "1111111111111111111111111111111111111111111111111111111111111111"
    }
}

Human Readable Output

Successfully removed 1111111111111111111111111111111111111111111111111111111111111111 from block list

8. Return a file hash to the block list

---

Returns the block list status of the specified file hashes.

Base Command

traps-hashes-blacklist-status

Input

Argument Name	Description	Required
hash_ids	A comma-separated list of SHA256 file hashes for which to return the block list status.	Required

Context Output

Path	Type	Description
Traps.File.BlacklistStatus	String	The block list status of the file hash. Can be "blacklisted" or "none".
Traps.File.SHA256	String	The SHA256 hash of the file.

Command Example

!traps-hashes-blacklist-status
        hash_ids="5616ff15b3f5df4e18d28771ccdae19173873009f2318761aa9f9e573b9d9acc,360b12ccfa33c6d2021bf34162b111ffc2f5939b0524b2e045cd682d93318d69"

Context Example

{
    "Traps.File": [
        {
            "BlacklistStatus": "blacklisted",
            "SHA256": "360b12ccfa33c6d2021bf34162b111ffc2f5939b0524b2e045cd682d93318d69"
        },
        {
            "BlacklistStatus": "none",
            "SHA256": "5616ff15b3f5df4e18d28771ccdae19173873009f2318761aa9f9e573b9d9acc"
        }
    ]
}

Human Readable Output

Hashes status:

Blacklist Status	SHA256
blacklisted	360b12ccfa33c6d2021bf34162b111ffc2f5939b0524b2e045cd682d93318d69
none	5616ff15b3f5df4e18d28771ccdae19173873009f2318761aa9f9e573b9d9acc

9. Quarantine an event

---

Creates a quarantine entry for the specified event.

Base Command

traps-event-quarantine

Input

Argument Name	Description	Required
event_id	The ID of the event for which to create a quarantine entry..	Required

Context Output

Path	Type	Description
Traps.Quarantine.EventID	String	The ID of the event.
Traps.Quarantine.OperationID	String	The ID of the operation.
Traps.Quarantine.Type	String	The type of operation.

Command Example

!traps-event-quarantine event_id="19903a443a47441a86c92c3aea5abb30"

Context Example

{
    "Traps.Quarantine": [
        {
            "EventID": "19903a443a47441a86c92c3aea5abb30",
            "OperationID": "42185783e5bd11e9acbf0245d8e950da",
            "Type": "event-quarantine"
        }
    ]
}

Human Readable Output

Quarantine command on event: 19903a443a47441a86c92c3aea5abb30 received

Event ID	Operation ID	Type
19903a443a47441a86c92c3aea5abb30	42185783e5bd11e9acbf0245d8e950da	event-quarantine

10. Isolate an endpoint

---

Isolates the specified endpoint.

Base Command

traps-endpoint-isolate

Input

Argument Name	Description	Required
endpoint_id	The ID of the endpoint to isolate.	Required

Context Output

Path	Type	Description
Traps.Isolate.EndpointID	String	The ID of the endpoint.
Traps.Isolate.OperationID	String	The ID of the operation.
Traps.Isolate.Type	String	The type of operation.

Command Example

!traps-endpoint-isolate endpoint_id=d3339851f18f470182bf2bf98ad5db4b

Context Example

{
    "Traps.Isolate": {
        "EndpointID": "d3339851f18f470182bf2bf98ad5db4b",
        "OperationID": "4278ac6ce5bd11e9acbf0245d8e950da",
        "Type": "endpoint-isolate"
    }
}

Human Readable Output

Isolate command on endpoint d3339851f18f470182bf2bf98ad5db4b received

Endpoint ID	Operation ID	Type
d3339851f18f470182bf2bf98ad5db4b	4278ac6ce5bd11e9acbf0245d8e950da	endpoint-isolate

11. Get the result of a quarantine operation

---

Returns the result of the specified quarantine operation.

Base Command

traps-event-quarantine-result

Input

Argument Name	Description	Required
operation_id	The ID of the operation for which to get the result of the quarantine operation.	Required

Context Output

Path	Type	Description
Traps.QuarantineResult.SHA256	String	The SHA256 hash of the file.
Traps.QuarantineResult.FilePath	String	The file path on the endpoint.
Traps.QuarantineResult.OperationID	String	The ID of the operation.
Traps.QuarantineResult.Status	String	The status of the quarantine operation.

Command Example

!traps-event-quarantine-result operation_id="e092afa2e08511e9acbf0245d8e950da"

Context Example

{
    "Traps.QuarantineResult": {
        "FilePath": "C:\\Users\\Administrator\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\f_000013",
        "OperationID": "e092afa2e08511e9acbf0245d8e950da",
        "SHA256": "2f937ee2fd10a6ea58faca31ab455d18e29ded5d88b4a6f8cc29127a23232e45",
        "Status": "finished"
    }
}

Human Readable Output

Status of quarantine operation: e092afa2e08511e9acbf0245d8e950da

File Path	Operation ID	SHA256	Status
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013	e092afa2e08511e9acbf0245d8e950da	2f937ee2fd10a6ea58faca31ab455d18e29ded5d88b4a6f8cc29127a23232e45	finished

12. Get the result of an isolate operation

---

Returns the status of the specified endpoint isolate operation.

Base Command

traps-endpoint-isolate-status

Input

Argument Name	Description	Required
operation_id	The ID of the operation.	Required

Context Output

Path	Type	Description
Traps.IsolateResult.OperationID	String	Operation ID. Use this to retrieve status / results.
Traps.IsolateResult.Status	String	The status of the isolation operation.

Command Example

!traps-endpoint-isolate-status operation_id=d4abbbc4e5ba11e9acbf0245d8e950da

Context Example

{
    "Traps.IsolateResult": {
        "OperationID": "d4abbbc4e5ba11e9acbf0245d8e950da",
        "Status": "finished"
    }
}

Human Readable Output

Isolate status is: finished

13. Get the results of an endpoint file retrieve operation

---

Returns the result of the endpoint file retrieve operation.

Base Command

traps-endpoint-files-retrieve-result

Input

Argument Name	Description	Required
operation_id	The ID of the operation.	Required

Context Output

There are no context output for this command.

Command Example

!traps-endpoint-files-retrieve-result operation_id="d129d313e5ba11e9acbf0245d8e950da"

Context Example

{
    "Traps.FileRetrieveResult": {
        "OperationID": "d129d313e5ba11e9acbf0245d8e950da",
        "Status": "finished"
    }
}

Human Readable Output

File retrieval status is: finished

14. Get the results of an endpoint scan operation

---

Returns the results of an endpoint scan operation.

Base Command

traps-endpoint-scan-result

Input

Argument Name	Description	Required
operation_id	The ID of the operation.	Required

Context Output

Path	Type	Description
Traps.ScanResult.FileScanned	Number	The number of scanned files.
Traps.ScanResult.FilesFailed	Number	The number of files that were not scanned.
Traps.ScanResult.MalwareFound	Number	The number of detected malware.
Traps.ScanResult.OperationID	String	The ID of the operation.
Traps.ScanResult.Status	String	The status of the scan.

Command Example

!traps-endpoint-scan-result operation_id="d270d8bce5ba11e9acbf0245d8e950da"

Context Example

{
    "Traps.ScanResult": {
        "FileScanned": 57295,
        "FilesFailed": 0,
        "MalwareFound": 1,
        "OperationID": "d270d8bce5ba11e9acbf0245d8e950da",
        "Status": "error"
    }
}

Human Readable Output

Status of scan operation: d270d8bce5ba11e9acbf0245d8e950da

File Scanned	Files Failed	Malware Found	Operation ID	Status
57295	0	1	d270d8bce5ba11e9acbf0245d8e950da	error