Get a holistic view of threat activity and various types of threats seen in your
Prisma Access and NGFW environments.
Where Can I Use This? | What Do I Need? |
| You must have at least one of these licenses to use the Activity
Insights:The other licenses needed to view the Activity Insights:Threats
tab are:- Strata Logging Service
- CDSS licenses
- ADEM Observability will unlock additional
Prisma Access features
|
Get a holistic view of threat activity and various types of threats
seen in your network. The tab shows the total number of threat sessions seen in your
Prisma Access and NGFW deployments, breakdown of the numbers based on threat
category and threat severity for the selected time period. You can search on a
security artifact (file hash, a URL, a domain, or an IP address (IPv4 or IPv6)
associated with a threat to know the Palo Alto Networks threat intelligence analysis
and the third-party analysis findings.
Review the following details of unique threats
in your network:
Threat Name- Threat signature name. Use this
to find the latest
Threat Vault information about the
threat including all the threat sessions during a time range.
Threat ID- Unique threat signature ID. Use
the threat ID to look up the latest information that the Palo Alto Networks
threat database has for this signature.
Threat Category and Subcategory- The
type of threats based on threat
signatures (Antivirus, Spyware (C2), and Vulnerability).
Severity- The threat severity is determined
based on how easy it is to exploit the vulnerability, the impact on
vulnerability, the pervasiveness of the vulnerable product, the impact of
the vulnerability, and more. The severity is categorized as:
- Critical- When vulnerability affects default installations of very
widely deployed software and the exploits can result in root
compromised. The exploit code( information about how to exploit the
system code, methods, Proof of concept(POC)) is widely available and
easy to exploit. The attacker doesn't need any special
authentication credentials, or knowledge about individual
victims.
- High- Threats that have the ability to become critical but have
mitigating factors; for example, they may be difficult to exploit,
do not result in elevated privileges, or do not have a large victim
pool.
- Medium- Minor threats in which impact is minimized, such as DoS
attacks that do not compromise the target or exploits that require
an attacker to reside on the same LAN as the victim, affect only
non-standard configurations or obscure applications, or provide very
limited access.
- Low- Warning-level threats that have very little impact on an
organization's infrastructure. They usually require local or
physical system access and may often result in victim privacy or DoS
issues and information leakage.
- Informational- Suspicious events that do not pose an immediate
threat, but that are reported to call attention to deeper problems
that could possibly exist.
Total Sessions- the number of sessions where
the threat was detected. Click the threat name to view all related threat
sessions in the specified time range. The threat session table provides
context on the threat such as time when the Palo Alto Network security
services detected the threats, users, rules, applications, devices impacted
by the threat, and action taken (allowed or blocked) on the threat.
Total Users- number of users exposed to the
threat.
Allowed Threats and Blocked Threats- review
the action enforced on the threat to ensure the actions are not triggering
false positives on your network.
Actions- investigate the log history of the threat in
the
Log
Viewer.
Reports- You cannot generate report that cover the data in this view.