Activity Release Updates
See what’s new in Activity for Prisma Access and
AIOps for NGFW
.Here’s what we’re working on to make
Activity even better.
What’s Supported
Activity support might vary depending on what product
you’re using, Prisma Access or
AIOps for NGFW
. ➡ Support for Activity Dashboards and ReportsWhat’s New
Here’s what’s new in Activity:
January 2023
New Features | |
|---|---|
Tenant Support Group (TSG) Support for Activity
in Prisma Access Cloud Managed | Activity features (such as WildFire and DNS
dashboards, and Search for Security Artifacts) now support showing
data for tenants with tenant service groups (TSGs). Learn more about Activity
features supported in your app and their requirements. |
December 2022
New Features | |
|---|---|
Threat Insights Dashboard | The Threat Insights dashboard
provides a holistic view of all threats that the Palo Alto Networks
security services detected in your network. You can view the impacted applications,
users, security policy rules that allowed or blocked threats in
your network, and network sessions in which they were detected.
The dashboard also provides a breakdown of threats that your security
services are detecting and blocking in your network. You can use
the following filters to drill down into specific threats; threat
categories, security services that detected the threats, actions taken
on threats, and the time range. Threat Insights is available
in Prisma Access, AIOps for NGFW premium only, and Prisma SASE Multitenant
Platform (SASE Portal). Go to on the left navigation
pane to get started. The dashboard currently shows data
for Prisma Access and AIOps for NGFW premium users with Cortex Data Lake
hosted in the Americas region only. The dashboard support for non-Americas
regions will be coming soon. |
September 2022
New Features | |
|---|---|
Search for Security Artifacts Moved to Premium
in AIOps for NGFW | |
July 2022
New Features | |
|---|---|
View Application Data in WildFire Dashboard | The WildFire dashboard now shows additional
data in WildFire > Summary > Top Applications .
You can view the details of the applications that sourced the most
malicious samples in your network. Click the application name and
sample count to review details of the application and malicious
sample detected by WildFire.  |
View Targeted Users Data in WildFire Dashboard | The WildFire > Summary > Top Users dashboard
shows the user accounts that are most frequently used to deliver
malicious samples in your network. Click the user name to investigate
the user activity patterns in the User Activity dashboard. |
Identify WildFire Submissions Based on Regions | The WildFire dashboard provides interactive
drill down for you to know the locations that sent or received the most
malicious samples in your network. Click WildFire > Summary
> Top Regions to view the sample count for source and
destination regions in a map or table format. |
Review Firewalls Contributing to WildFire
Submissions AIOps for NGFW | In the WildFire > Summary > Top Applications dashboard,
you can view the firewalls that are contributing to the most malicious samples
in your network.  |
View Tag Details for Security Artifact Search
Results | In search results, you can now view detailed information
about the tags associated with a sample. Tags can help you know
if the sample is part of any threat families, campaigns, or malicious
actors. To view tag details, hover over or click the tag name in
the search result page.  |
June 2022
New Features | |
|---|---|
Dashboard and Log Viewer Support for Cortex
Data Lake Tenants in non-Americas | For Panorama Managed Prisma
Access users with Cortex Data Lake hosted in the non-Americas region, you
need to provide consent to allow Prisma Access to read and process
data from the Cortex Data Lake in the non-Americas region. Review
and accept the privacy info on the Dashboard home page to provide
your consent and view more dashboards and logs. Only app, instance,
and account administrators can see and accept the privacy notice.  |
Highlights for Policy Action and Severity
in Log Viewer | Log Viewer highlights the
action taken on the traffic associated with a log record and the threat
severity levels of the logs. The highlights help you to easily identify
how different sessions are enforced. The actions are highlighted
in the following colors:
 |
More Best Practice
Checks and Updates to Network and Service Setup AIOps for NGFW | If you’re using AIOps for NGFW , there are additional Best Practices checks available
for Network and Service Setup configurations. For Network configuration, you can review
the failed checks for policy-based forwarding rules, network profiles,
zones, and tunnels.  For Service Setup, in addition to the
checks for WildFire and GlobalProtect configurations, you can review
the best practice checks for device and deployment settings such
as Logging, Log Forwarding, User ID, High Availability, Tags, Dynamic
Updates, and General Settings.  |
Casuality Chain Visualization | You can now visualize the process executed
and the associated events and triggers for samples using analysis
data provided by WildFire. Hover over the process node to display
more information about the process. Click Activity > Search and
enter a file hash to view the casuality chain under the WildFire Analysis tab. |
Snapshots from WildFire | The Summary tab in the file hash search results
page shows screenshots captured during WildFire sample analysis and
displays various process milestones to help you validate the operations
and detection reasons used to classify a file. |
Contextual Search in Log Viewer | The URL, file hash, domain, and IP address
in Log Viewer have links that open the search results page
to show all the threat intelligence on the artifacts.  |
Support for DNS Security Log Type in Log
Viewer | In Log
Viewer, you can explore the logs recorded during the
traffic inspection by the DNS Security service.  |
Request Verdict Change | You can request a change of verdict for a particular
file sample submitted to WildFire from the File Hash search results page in Activity . |
May 2022
New Features | |
|---|---|
Log Viewer Subnet Search | In Log Viewer, You can now
use the = or != operators
to match IPv4 and IPv6 addresses and subnets that use CIDR notation.
This allows you to speed up your investigations by quickly narrowing
them down to logs from a section of your network.For
example, this search identifies all logs with the specified IPv4
address range in the source address field: src_ip.value = "192.168.30.51/24" Similarly, this search identifies all logs that
do not have IPv4 address range in the destination address field: dst_ip.value != “172.10.10.10/24”  |
More Best Practice Checks and Updates to
the Best Practices Dashboard | There’s more best practice checks available
now as part of the Best Practices dashboard.
In addition to security checks (for rules, profiles, and rulebases),
you can now also see where devices are not aligned to best practices
for identity, network, and setup configuration. Go to see the new
checks.  |
Expanded Support for the Best Practices
Dashboard () AIOps for NGFW | If you’re using AIOps for NGFW ,
the Best Practices dashboard
is now supported across all hardware and VM-Series models. Review Support for Activity Dashboards and Reports to see the
Activity features that are available to you. If you’re
using Prisma Access: the Best Practices dashboard continues to be
fully supported for all Prisma Access deployments. |
WildFire Dashboard Beta | The new WildFire dashboard
is available to you now in beta. Preview and explore this dashboard
to see how WildFire is protecting you from net new malware that’s
concealed in files, executables, and email links.  |
DNS Security Dashboard | The new DNS Security dashboard
shows you how your DNS Security subscription is protecting you from
advanced threats and malware that use DNS. Go to to have a look.  |
Search for Security Artifacts Beta | In Activity,
you can now search for security
artifacts — an IP address (IPv4 or IPv6), a domain, a URL,
or a file hash — to interact with data just for that artifact. Search
results give you a full view of the artifact, across all the data
gathered by Palo Alto Networks and third party intelligence sources,
including passive DNS history, WildFire analysis findings, and more. To
get started, go to :  |
Jump to DLP Events | In Log Viewer, logs with DLP file submissions
now feature a link that takes you to a page with further details
about the patterns from the DLP profile that matched the submitted
file. Follow the link to get a more complete picture of your DLP
incidents and help ensure that your data remains secure.  |
New Features in 2021
New Features | |
|---|---|
Search for Security Artifacts | In Activity,
you can now search for a network
artifact — an IP address (IPv4 or IPv6, a domain, a URL,
or a file hash — to interact with data just for that artifact. To
get started, go to : |
Network Usage | The new Network Usage dashboard
shows you what’s driving your network traffic. Dive in to see who
or what is using your network, including the apps and sites they’re
accessing and their threat exposure.  |
DLP Incidents | The new Data Loss Prevention (DLP) Incidents dashboard
gives you visibility into events that have triggered DLP enforcement.
Here’s more on DLP Incidents and using
Enterprise DLP with Prisma Access Cloud Management. Go to to
have a look. |
Application Usage and User Activity Updates | Application Usage and User Activity dashboards
now include:
 |
Introducing Activity | Activity brings together and builds on the previous
reports and Logs features. Find Activity on the left navigation
panel, where you would have previously accessed reports and Logs.  Activity
helps you view network activity highlights and interact with data
on the applications, threats, users, security subscriptions at work
in your network. Just as before, you can export this data in the form
of reports for offline viewing and sharing. |
The new Executive Summary dashboard shows you
how your Palo Alto Networks security subscriptions are protecting
you. This dashboard gives you the numbers on the malicious activity
your subscriptions are detecting and preventing:
Peer data in this dashboard gives
you a view into your industry’s threat landscape and how your security coverage
compares to similar organizations. Peer data is also shown for subscriptions
you’re not using; this helps you to see if there are places where
you could increase coverage to close security gaps.  | |
The new best practices dashboard measures
your security posture against Palo Alto Networks’ best practice
guidance, and helps you identify areas where you can take quick
action to strengthen security and meet compliance requirements. Importantly,
the best practice assessment includes checks for the Center for
Internet Security’s Critical Security Controls (CSC). CSC checks
are called out separately from other best practice checks, so you can
easily pick out and prioritize updates that will bring you up to
CSC compliance. | |
Known Issues
Known Issues | |
|---|---|
VRPT-5158 | The WildFire dashboard does not show data for samples
submitted from the WildFire India region, although the logs related
to this data are shown in Log Viewer. Currently, the WildFire dashboard
shows data for these regions. |
DIN-3679 | The Best Practices dashboard does not show
data for some devices in AIOps tenants. |
VRPT-4006 | The DNS and WildFire dashboards are currently unavailable
for AIOps Free tier telemetry only tenants. |
VRPT-4655 | The file hash search does not show screenshots
even when the verdict of the sample changes from benign to malware
at a later time. |
VRPT-4411 | The security administrators cannot view dashboard and
Log Viewer in Panorama Managed Prisma Access with Cortex Data Lake
hosted in the non-Americas region. |
VRPT-4445 | The file hash search shows screenshots from
WildFire analysis only for samples analyzed from July 2020 and after. |
VRPT-4476 | The search results for a file hash and URL
can sometimes timeout to display the results. |
VRPT-4557 | The search results for URLs with grayware may sometimes
throw an error. |
VRPT-3855 | The Coverage search results for a file hash
can sometimes show an error instead of displaying the threat protections
that are available for the file. |
VRPT-1830 | In Activity , the number
of users, files, and threats, for an application may not match between
Dashboards and the Log Viewer. |
VRPT-648 | Dashboards can sometimes time out if you are
using a large amount of Cortex Data Lake log storage (for example,
if you have more than 100 Cortex Data Lake licenses, you might be
using a large amount of log storage). |
VRPT-4138 | The Best Practices dashboard for Prisma
Access does not display data for WildFire Setup best practice checks. This
data displays for the AIOps for NGFW Best Practices dashboard, but
is not yet available for the Best Practices dashboard in Prisma
Access. |
Recent Fixes
Fixed Issues | |
|---|---|
VRPT-362 | Sometimes, the total number of remote network sites
displayed in the Prisma Access Usage dashboard is different than
the total number of remote network sites displayed on the Prisma
Access Overview. |
VRPT-343 | In the PDF version of the Prisma Access
Usage dashboard, the first page summary lists the number of Prisma
Access locations that you’re using; the number shown might not be
accurate. |
VRPT-339 | In the Prisma Access Usage dashboard, some widgets
display a trend over time, and the widget x-axis is what indicates
the time over which the data is displayed. Sometimes, the x-axis
adjusts to only show the time for which there was data, instead
of the filter you selected (24 hours, a week, or a month). |
VRPT-246 | In the User Activity dashboard, the doughnut chart
described as showing total data transfer and sessions across all
URL categories, is actually showing data transfer and sessions only
for the top 10 URL categories. |
VRPT-639 | The overall bandwidth consumption graph in
the Usage dashboard shows the ingress bandwidth trend instead of
overall bandwidth. |
PAI-457 | In the Prisma Access Usage dashboard, the widget
that shows data on the Top Prisma Access Locations for Remote Networks
might show only partial or obscured location names. |
APL-13233 | New Prisma Access Cloud Management instances will
show only the Usage dashboard at first. It’ll take up to 8 hours
for the Application and the User Activity dashboards to populate
after onboarding. |
VRPT-1095 fixed | For managed firewalls running versions earlier
than PAN-OS 10.0.7, the device details don't include the name of
the Panorama that's managing the firewall. Device details includes
this information for firewalls running PAN-OS 10.0.7 and later. |
PAI-500 | For certain widgets or values, the Usage
does not display the data you’d expect. For example, the allocated
bandwidth for remote networks should display how much bandwidth
you've allocated across Prisma Access locations (regardless of usage).
However, it instead displays the amount of bandwidth allocated only
to Prisma Access locations with active remote network sites. |
VRPT-90 | For now, you can add up to 14 scheduled reports. |
