Prisma Access (Managed by Panorama or Strata Cloud Manager)
Security Administrator, Superuser, or Readonly roles within the
platform's Identity Management System.
Permission for viewing Analytics → Account Usage page, accessing
drilldown details, applying filters and sorting options.
The Account Usage screen (account inventory) provides you with a centralized,
data-driven view of user identities and access patterns across the organization. It
aggregates successful login attempt events from Prisma Browser and Prisma Browser
Extension to offer a comprehensive understanding of user access in your environment.
Account Usage is a proactive tool for identifying and addressing key security
vulnerabilities, such as:
Shadow IT
Non-SSO usage
Shared accounts
High-risk login behaviors
Data Anonymization: Usernames are anonymized based on the
Activity Logging section in the Tracking. A username becomes visible only after it
appears in a non-anonymized form in a system event. Anonymization can be controlled in
the Tracking section of each rule.
Data Retention: Account identifiers and basic metadata
are retained indefinitely. Event-based data, such as login activity and risk scores,
adhere to your organization's standard event retention policy. Associated activity and
risk data will no longer appear in the inventory once underlying events are
cleared.
Login Methods
The Account Inventory system recognizes the following login methods:
Form: Login using a standard username/password login form.
Passkeys: Login using the WeAuthN protocol (passkey).
SSO: Login using a SAML-based Identity Provider.
Social: Login using supported social login provide:
Google
Microsoft
Facebook
Apple
Github
LinkedIn
x (Twitter)
OIDC SSO: Login using an OIDC-based identity provider.
In many cases social logins that are not in the supported list above
will be categorized under this login method.
Many websites that seem to provide form-based login actually use
OIDC SSO behind the scenes (e.g. government, healthcare and other
similar websites).
Manage and Analyse User Accounts
From the Strata Cloud Manager, ConfigurationAnalyticsAccount Usage to open the Accounts Usage page.
Spotlights
Spotlights allow you to quickly identify commpn security concerns. The following
Spotlights are available for Account Usage:
Non-SSO Accounts: Accounts not protected by your primary Identity
Providers.
Unknown App Accounts: Accounts found on domains not currently in
your application catalog.
Risky-App Accounts: Accounts that use applications that are
considered risky.
Risky Accounts: Accounts that are considered risky based on
established criteria.
Shared Accounts: Identities used by more than one person.
GenAI Accounts: Accounts on applications that use generative AI.
Filter and Sort Account Data
Main table columns:
Account Username / Account Application: These are presented in a
single cell. The Account Username is the username or unique identifier
of the user. The account Application is the catalog or custom
application, including GenAI tags and Application Risk indicators. Hover
over the field to see all the information.
Account URL: The URL of the page on which the login occurred.
Identity Provider: The type and URL of the identity provider
used to login to the account (for SSO, OIDC SSO and Social login
methods).
User: The PB users that logged into this account (Note:
Currently limited to 100 users for a shared account, open the drawer to
see the rest of the users).
Device: The devices on which this account was accessed.
Login Activity: Total successful logins in the selected
timeframe, with a trend arrow compared to the previous period of the
same length as the one selected in the Time filter.
Login Methods: The method used (Form, SSO, OIDC SSO, Social,
Passkey).
Identity provider: The IdP's type and URL. Hover to see the
provider URL.
Risk: The dynamically calculated severity of the risk
posed by the account (No risk, Low, Medium, or High).
Latest Login: The time of the last successful login.
Filter Account Data
Time: Filter by time frame. Select one of the options:
Last 24 hours
2 days
7 days [default]
14 days
30 days
Account Username: Filter by the username used to login to the
account.
Unknown username - Is the username of the account
unknown?
Anonymized username - Is the username of the account
anonymized?
Account Application: Filter by the catalog/custom application
used to login to the account.
Account URL: Filter by the URL used to login to the account.
Identity provider: Filter by identity provider type (e.g. Okta,
Entra, Google, Facebook).
Identity provider URL: Filter by the specific Identity Provider
URL.
User: Filter by PB user that logged into the account.
Device: Filter by the device that logged into the account.
Login method: The login methods used to login to the account.
Application risk: Is the application identified as risky in the
catalog?
Is GenAI app: Is the application identified as a GenAI
application?
Shared account: Is this a shared account used by multiple users?
Account risk: Filter by the risk level of the account.
Trusted IdP: Filter accounts on trusted identity providers,
defined as:
An account within the trusted identity provider (e.g. The username@acme.com entra ID
account).
An account that uses the trusted identity provider to login
(e.g. The Sales Force account username@acme.com that uses
entra for login).
You can modify the list of trusted identity providers within the
filter.
Investigate Individual Account Details
Select any account in the main table. A drawer will open on the right side
containing granular information.
The information in the drawer includes the fill account metadata, including:
Full ID
Provider/tenant details
Detailed Risk information
Detailed Login activity
Full list of users and devices that accessed the account
Risk Remediation - What Should I Do?
The risks displayed in the drawer display not only the risk type, but also
suggest the proper resolution.
The following risks are calculated for each account:
Analyze associated users and devices: Review the
list of users and the specific devices (Prisma Browser Desktop vs.
Prisma Browser Extension) they use.
Review login activity and attempts: Examine
detailed widgets showing successful versus failed or blocked
attempts.
