Activity Insights: Threats
Focus
Focus
Strata Cloud Manager

Activity Insights: Threats

Table of Contents

Activity Insights: Threats

Get a holistic view of threat activity and various types of threats seen in your Prisma Access and NGFW environments.
Where Can I Use This?What Do I Need?
  • Prisma Access
    (with Strata Cloud Manager or Panorama configuration management)
  • NGFWs
    (with Strata Cloud Manager or Panorama configuration management)
You must have at least one of these licenses to use the Activity Insights:The other licenses needed to view the Activity Insights:Threats tab are:
  • Strata Logging Service
  • CDSS licenses
  • ADEM Observability will unlock additional Prisma Access features
Get a holistic view of threat activity and various types of threats seen in your network. The tab shows the total number of threat sessions seen in your Prisma Access and NGFW deployments, breakdown of the numbers based on threat category and threat severity for the selected time period. You can search on a security artifact (file hash, a URL, a domain, or an IP address (IPv4 or IPv6) associated with a threat to know the Palo Alto Networks threat intelligence analysis and the third-party analysis findings.
Review the following details of unique threats in your network:
  • Threat Name- Threat signature name. Use this to find the latest Threat Vault information about the threat including all the threat sessions during a time range.
  • Threat ID- Unique threat signature ID. Use the threat ID to look up the latest information that the Palo Alto Networks threat database has for this signature.
  • Threat Category and Subcategory- The type of threats based on threat signatures (Antivirus, Spyware (C2), and Vulnerability).
  • Licenses- The Palo Alto Networks security services that detected the threat.
  • Severity- The threat severity is determined based on how easy it is to exploit the vulnerability, the impact on vulnerability, the pervasiveness of the vulnerable product, the impact of the vulnerability, and more. The severity is categorized as:
    • Critical- When vulnerability affects default installations of very widely deployed software and the exploits can result in root compromised. The exploit code( information about how to exploit the system code, methods, Proof of concept(POC)) is widely available and easy to exploit. The attacker doesn't need any special authentication credentials, or knowledge about individual victims.
    • High- Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.
    • Medium- Minor threats in which impact is minimized, such as DoS attacks that do not compromise the target or exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard configurations or obscure applications, or provide very limited access.
    • Low- Warning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and may often result in victim privacy or DoS issues and information leakage.
    • Informational- Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist.
  • Total Sessions- the number of sessions where the threat was detected. Click the threat name to view all related threat sessions in the specified time range. The threat session table provides context on the threat such as time when the Palo Alto Network security services detected the threats, users, rules, applications, devices impacted by the threat, and action taken (allowed or blocked) on the threat.
  • Total Users- number of users exposed to the threat.
  • Allowed Threats and Blocked Threats- review the action enforced on the threat to ensure the actions are not triggering false positives on your network.
  • Actions- investigate the log history of the threat in the Log Viewer.
Reports- You cannot generate report that cover the data in this view.