>
    Strata Copilot
    View All Threat Incidents
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. View Threats and Incidents
    4. View All Threat Incidents
    Download PDF
    SaaS Security

    View All Threat Incidents

    Table of Contents

    View All Threat Incidents

    The Incidents tab on the Behavior Threats page displays the threat incidents that Behavior Threats detected.
    1. Log in to Strata Cloud Manager.
    2. Select to ConfigurationSaaS SecurityBehavior ThreatsIncidents.
    3. In the Incidents table, review the information about the threat incidents.
      The displayed information includes the name of the policy that describes this type of incident, the severity of the incident, the user whose actions caused the incident, and the date that the incident occurred. You can sort the Incidents table according to any of these attributes by clicking the appropriate column.
    4. (Optional) Add Filter to the table to view only the incidents for a particular severity, user, or situation type (such as a spike in activity).
    5. (Optional) To view more information about the policy or user associated with the incident, click the name in the Policy Name or User column of the table.
    6. Click the incident Description to view in-depth details about a particular incident.
      • Incident Details
        This section provides a written summary of the incident that describes which user accessed which app, and why it generated an incident. Additionally, it provides the following information:
        • General Info—Describes the severity level of the incident, the user who generated the incident, the email of the user, and the last time the incident was updated.
        • Violation—Describes the violation situation, the name of the policy rule and policy rule type the incident generated against, and the action taken as configured in the policy rule.
        • Activity—Describes the activity that generated the incident and the number of individual events associated with the incident.
      • Events
        Presents a bar graph displaying the total number of event counts associated with the incident, and the time each event occurred.
      • Incident List
        (Dynamic Policy Rules Only) You can filter and narrow down the list of incidents generated from predefined dynamic user activity policy rules based on the Application and Activity you want to investigate.
        A list of all events associated with the incident that includes the following information displays for both dynamic and static user activity policy rules.
        • Date and time the event occurred in YYYY-MM-DD:HH:MM:SS UTC format.
        • App associated with the incident.
        • Activity that occurred that generated the incident.
        • Location or region where the incident occurred.
        • Source IP address of the user who generated the incidents.
      Click the Incidents link at the top of the page to return to the Behavior Threats Incidents page.
    7. (Optional) Click the table's download icon to export a CSV file with a list of the incidents. The list will contain all incidents unless you applied a filter to the table.

    © 2025 Palo Alto Networks, Inc. All rights reserved.