Strata Cloud Manager
Activity Insights: Threats
Table of Contents
Activity Insights: Threats
Get a holistic view of threat activity and various types of threats seen in your
Prisma Access and NGFW environments.
| Where Can I Use This? | What Do I Need? |
|---|---|
| You must have at least one of these licenses to use the Activity
Insights:
|
Get a holistic view of threat activity and various types of threats
seen in your network. The tab shows the total number of threat sessions seen in your
Prisma Access and NGFW deployments, breakdown of the numbers based on threat
category and threat severity for the selected time period. You can search on a
security artifact (file hash, a URL, a domain, or an IP address (IPv4 or IPv6)
associated with a threat to view the Palo Alto Networks threat intelligence analysis
and the third-party analysis findings.
Review the following details of
unique threats in your network:
- Threat Name—Threat signature name. Use this to find the latest Threat Vault information about the threat including all the threat sessions during a time range.
- Threat ID—Unique threat signature ID. Use the threat ID to look up the latest information that the Palo Alto Networks threat database has for this signature.
- Threat Category and Subcategory—The type of threats based on threat signatures (Antivirus, Spyware (C2), and Vulnerability).
- Licenses—The Palo Alto Networks security services that detected the threat.
- Severity—The threat severity is determined based on how easy it is to exploit the vulnerability, the impact on vulnerability, the pervasiveness of the vulnerable product, the impact of the vulnerability, and more. The severity is categorized as:
- Critical—When vulnerability affects default installations of very widely deployed software and the exploits can result in root compromised. The exploit code (information about how to exploit the system code, methods, proof of concept (POC)) is widely available and easy to exploit. The attacker doesn't need any special authentication credentials, or knowledge about individual victims.
- High—Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.
- Medium—Minor threats in which impact is minimized, such as DoS attacks that do not compromise the target or exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard configurations or obscure applications, or provide very limited access.
- Low—Warning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and may often result in victim privacy or DoS issues and information leakage.
- Informational—Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist.
- Total Sessions—The number of sessions where the threat was detected. Click the threat name to view all related threat sessions in the specified time range. The threat session table provides context on the threat such as time when the Palo Alto Network security services detected the threats, users, rules, applications, devices impacted by the threat, and action taken (allowed or blocked) on the threat.
- Total Users—The number of users exposed to the threat.
- Allowed Threats and Blocked Threats—Action enforced on the threat. Review the action to ensure the actions are not triggering false positives on your network.
- Actions—Log history of the threat in the Log Viewer to aid in threat investigations.
Reports—You cannot generate a report that covers the data in this view.