Activity Release Updates

See what’s new in Activity for Prisma Access and
AIOps for NGFW
Here’s what we’re working on to make Activity even better.

What’s Supported

Activity support might vary depending on what product you’re using, Prisma Access or
AIOps for NGFW
. ➡ Support for Activity Dashboards and Reports

What’s New

Here’s what’s new in Activity:

January 2023

New Features
Tenant Support Group (TSG) Support for Activity in Prisma Access Cloud Managed
Activity features (such as WildFire and DNS dashboards, and Search for Security Artifacts) now support showing data for tenants with tenant service groups (TSGs). Learn more about Activity features supported in your app and their requirements.

December 2022

New Features
Threat Insights Dashboard
The Threat Insights dashboard provides a holistic view of all threats that the Palo Alto Networks security services detected in your network. You can view the impacted applications, users, security policy rules that allowed or blocked threats in your network, and network sessions in which they were detected. The dashboard also provides a breakdown of threats that your security services are detecting and blocking in your network. You can use the following filters to drill down into specific threats; threat categories, security services that detected the threats, actions taken on threats, and the time range.
Threat Insights is available in Prisma Access, AIOps for NGFW premium only, and Prisma SASE Multitenant Platform (SASE Portal). Go to
Activity > Threat Insights
on the left navigation pane to get started.
The dashboard currently shows data for Prisma Access and AIOps for NGFW premium users with Cortex Data Lake hosted in the Americas region only. The dashboard support for non-Americas regions will be coming soon.

September 2022

New Features
Search for Security Artifacts Moved to Premium in
AIOps for NGFW
The Activity Search is now a premium feature in
AIOps for NGFW
and is available to you with the Premium License of
AIOps for NGFW
. The early access to Activity Search will no longer be available in
AIOps for NGFW
Free. View the list of
AIOps for NGFW
premium features here.

July 2022

New Features
View Application Data in WildFire Dashboard
The WildFire dashboard now shows additional data in
WildFire > Summary > Top Applications
. You can view the details of the applications that sourced the most malicious samples in your network. Click the application name and sample count to review details of the application and malicious sample detected by WildFire.
View Targeted Users Data in WildFire Dashboard
WildFire > Summary > Top Users
dashboard shows the user accounts that are most frequently used to deliver malicious samples in your network. Click the user name to investigate the user activity patterns in the User Activity dashboard.
Identify WildFire Submissions Based on Regions
The WildFire dashboard provides interactive drill down for you to know the locations that sent or received the most malicious samples in your network. Click
WildFire > Summary > Top Regions
to view the sample count for source and destination regions in a map or table format.
Review Firewalls Contributing to WildFire Submissions
AIOps for NGFW
In the
WildFire > Summary > Top Applications
dashboard, you can view the firewalls that are contributing to the most malicious samples in your network.
View Tag Details for Security Artifact Search Results
In search results, you can now view detailed information about the tags associated with a sample. Tags can help you know if the sample is part of any threat families, campaigns, or malicious actors. To view tag details, hover over or click the tag name in the search result page.

June 2022

New Features
Dashboard and Log Viewer Support for Cortex Data Lake Tenants in non-Americas
For Panorama Managed Prisma Access users with Cortex Data Lake hosted in the non-Americas region, you need to provide consent to allow Prisma Access to read and process data from the Cortex Data Lake in the non-Americas region. Review and accept the privacy info on the Dashboard home page to provide your consent and view more dashboards and logs. Only app, instance, and account administrators can see and accept the privacy notice.
Highlights for Policy Action and Severity in Log Viewer
Log Viewer highlights the action taken on the traffic associated with a log record and the threat severity levels of the logs. The highlights help you to easily identify how different sessions are enforced. The actions are highlighted in the following colors:
  • Blue—allow
  • Yellow—continue, override
  • Orange—deny, drop, drop-icmp, reset-client, reset-server, reset-both, block-continue, block-override, block-URL, drop-all, sinkhole
More Best Practice Checks and Updates to Network and Service Setup
AIOps for NGFW
If you’re using
AIOps for NGFW
, there are additional Best Practices checks available for Network and Service Setup configurations.
For Network configuration, you can review the failed checks for policy-based forwarding rules, network profiles, zones, and tunnels.
For Service Setup, in addition to the checks for WildFire and GlobalProtect configurations, you can review the best practice checks for device and deployment settings such as Logging, Log Forwarding, User ID, High Availability, Tags, Dynamic Updates, and General Settings.
Casuality Chain Visualization
You can now visualize the process executed and the associated events and triggers for samples using analysis data provided by WildFire. Hover over the process node to display more information about the process. Click
Activity > Search
and enter a file hash to view the casuality chain under the
WildFire Analysis
Snapshots from WildFire
tab in the file hash search results page shows screenshots captured during WildFire sample analysis and displays various process milestones to help you validate the operations and detection reasons used to classify a file.
Contextual Search in Log Viewer
The URL, file hash, domain, and IP address in Log Viewer have links that open the search results page to show all the threat intelligence on the artifacts.
Support for DNS Security Log Type in Log Viewer
In Log Viewer, you can explore the logs recorded during the traffic inspection by the DNS Security service.
Request Verdict Change
You can request a change of verdict for a particular file sample submitted to WildFire from the File Hash search results page in

May 2022

New Features
Log Viewer Subnet Search
In Log Viewer, You can now use the
operators to match IPv4 and IPv6 addresses and subnets that use CIDR notation. This allows you to speed up your investigations by quickly narrowing them down to logs from a section of your network.
For example, this search identifies all logs with the specified IPv4 address range in the source address field:
src_ip.value = ""
Similarly, this search identifies all logs that do not have IPv4 address range in the destination address field:
dst_ip.value != “”
More Best Practice Checks and Updates to the Best Practices Dashboard
There’s more best practice checks available now as part of the Best Practices dashboard. In addition to security checks (for rules, profiles, and rulebases), you can now also see where devices are not aligned to best practices for identity, network, and setup configuration. Go to
Best Practices
see the new checks.
Expanded Support for the Best Practices Dashboard ()
AIOps for NGFW
If you’re using
AIOps for NGFW
, the Best Practices dashboard is now supported across all hardware and VM-Series models. Review Support for Activity Dashboards and Reports to see the Activity features that are available to you.
If you’re using Prisma Access: the Best Practices dashboard continues to be fully supported for all Prisma Access deployments.
WildFire Dashboard
The new WildFire dashboard is available to you now in beta. Preview and explore this dashboard to see how WildFire is protecting you from net new malware that’s concealed in files, executables, and email links.
Go to
to get started.
DNS Security Dashboard
The new DNS Security dashboard shows you how your DNS Security subscription is protecting you from advanced threats and malware that use DNS. Go to
DNS Security
to have a look.
Search for Security Artifacts
In Activity, you can now search for security artifacts — an IP address (IPv4 or IPv6), a domain, a URL, or a file hash — to interact with data just for that artifact.
Search results give you a full view of the artifact, across all the data gathered by Palo Alto Networks and third party intelligence sources, including passive DNS history, WildFire analysis findings, and more.
To get started, go to
Jump to DLP Events
In Log Viewer, logs with DLP file submissions now feature a link that takes you to a page with further details about the patterns from the DLP profile that matched the submitted file. Follow the link to get a more complete picture of your DLP incidents and help ensure that your data remains secure.

New Features in 2021

New Features
Search for Security Artifacts
In Activity, you can now search for a network artifact — an IP address (IPv4 or IPv6, a domain, a URL, or a file hash — to interact with data just for that artifact.
To get started, go to
Network Usage
The new Network Usage dashboard shows you what’s driving your network traffic. Dive in to see who or what is using your network, including the apps and sites they’re accessing and their threat exposure.
DLP Incidents
The new Data Loss Prevention (DLP) Incidents dashboard gives you visibility into events that have triggered DLP enforcement. Here’s more on DLP Incidents and using Enterprise DLP with Prisma Access Cloud Management. Go to
DLP Incidents
to have a look.
Application Usage and User Activity Updates
Application Usage and User Activity dashboards now include:
  • The threat count each of the top application types (application subcategories)
  • Contextual links to the Log Viewer, so you can see all network events related to data that appears on the dashboard
Introducing Activity
Activity brings together and builds on the previous reports and Logs features. Find Activity on the left navigation panel, where you would have previously accessed reports and Logs.
Activity helps you view network activity highlights and interact with data on the applications, threats, users, security subscriptions at work in your network. Just as before, you can export this data in the form of reports for offline viewing and sharing.
The new Executive Summary dashboard shows you how your Palo Alto Networks security subscriptions are protecting you. This dashboard gives you the numbers on the malicious activity your subscriptions are detecting and preventing:
  • high-risk applications
  • severe threats (exploits, malware, and C2)
  • malicious web activity
  • file-based threats (including never-before-seen threats)
  • data loss
Peer data in this dashboard gives you a view into your industry’s threat landscape and how your security coverage compares to similar organizations. Peer data is also shown for subscriptions you’re not using; this helps you to see if there are places where you could increase coverage to close security gaps.
The new best practices dashboard measures your security posture against Palo Alto Networks’ best practice guidance, and helps you identify areas where you can take quick action to strengthen security and meet compliance requirements.
Importantly, the best practice assessment includes checks for the Center for Internet Security’s Critical Security Controls (CSC). CSC checks are called out separately from other best practice checks, so you can easily pick out and prioritize updates that will bring you up to CSC compliance.

Known Issues

Known Issues
The WildFire dashboard does not show data for samples submitted from the WildFire India region, although the logs related to this data are shown in Log Viewer. Currently, the WildFire dashboard shows data for these regions.
The Best Practices dashboard does not show data for some devices in AIOps tenants.
The DNS and WildFire dashboards are currently unavailable for AIOps Free tier telemetry only tenants.
The file hash search does not show screenshots even when the verdict of the sample changes from benign to malware at a later time.
The security administrators cannot view dashboard and Log Viewer in Panorama Managed Prisma Access with Cortex Data Lake hosted in the non-Americas region.
The file hash search shows screenshots from WildFire analysis only for samples analyzed from July 2020 and after.
The search results for a file hash and URL can sometimes timeout to display the results.
The search results for URLs with grayware may sometimes throw an error.
The Coverage search results for a file hash can sometimes show an error instead of displaying the threat protections that are available for the file.
, the number of users, files, and threats, for an application may not match between Dashboards and the Log Viewer.
Dashboards can sometimes time out if you are using a large amount of Cortex Data Lake log storage (for example, if you have more than 100 Cortex Data Lake licenses, you might be using a large amount of log storage).
The Best Practices dashboard for Prisma Access does not display data for WildFire Setup best practice checks.
This data displays for the AIOps for NGFW Best Practices dashboard, but is not yet available for the Best Practices dashboard in Prisma Access.

Recent Fixes

Fixed Issues
Sometimes, the total number of remote network sites displayed in the Prisma Access Usage dashboard is different than the total number of remote network sites displayed on the Prisma Access Overview.
In the PDF version of the Prisma Access Usage dashboard, the first page summary lists the number of Prisma Access locations that you’re using; the number shown might not be accurate.
In the Prisma Access Usage dashboard, some widgets display a trend over time, and the widget x-axis is what indicates the time over which the data is displayed. Sometimes, the x-axis adjusts to only show the time for which there was data, instead of the filter you selected (24 hours, a week, or a month).
In the User Activity dashboard, the doughnut chart described as showing total data transfer and sessions across all URL categories, is actually showing data transfer and sessions only for the top 10 URL categories.
The overall bandwidth consumption graph in the Usage dashboard shows the ingress bandwidth trend instead of overall bandwidth.
In the Prisma Access Usage dashboard, the widget that shows data on the Top Prisma Access Locations for Remote Networks might show only partial or obscured location names.
New Prisma Access Cloud Management instances will show only the Usage dashboard at first. It’ll take up to 8 hours for the Application and the User Activity dashboards to populate after onboarding.
For managed firewalls running versions earlier than PAN-OS 10.0.7, the device details don't include the name of the Panorama that's managing the firewall. Device details includes this information for firewalls running PAN-OS 10.0.7 and later.
For certain widgets or values, the Usage does not display the data you’d expect. For example, the allocated bandwidth for remote networks should display how much bandwidth you've allocated across Prisma Access locations (regardless of usage). However, it instead displays the amount of bandwidth allocated only to Prisma Access locations with active remote network sites.
For now, you can add up to 14 scheduled reports.

Recommended For You