Investigate Prisma Access Browser Events
Focus
Focus
Prisma Access Browser

Investigate Prisma Access Browser Events

Table of Contents

Investigate Prisma Access Browser Events

Use the Prisma Access Browser Events log to monitor activity within your Enterprise Browser deployment.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
  • Superuser or Prisma Access Browser role
The Prisma Access Browser Events screen is the key visibility tool for investigating every activity within your Enterprise Browser deployment. Use this screen to assess the state of your current deployment and ensure that your policy is working as expected. From here, you can fine-tune the rules that define what actions you allow your users to perform within the applications you allow. For example, suppose you have set rules to block file downloads, but have enabled users to bypass this rule and proceed anyway. From the Events screen, you can see every bypass event and determine whether you need to refine the rule.
You can also view the browser events and audit logs from Strata Cloud Manager Log Viewer. These logs in Strata Logging Service can be forwarded to Amazon Security Lake, AWS S3, and Snowflake.
To review Prisma Access Browser events:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserAnalyticsEvents.
    You can see the total number of events displayed at the top of the page. By default, the Events screen displays the 50 most recent events. Click Load 50 More to move to the next page of events.
  2. Investigate events using search and filters.
    An important part of your role with the Prisma Access Browser is analyzing events, and looking for patterns and anomalies in user behavior. Whenever you notice unexpected or unusual activity, you need to see if you need to tune the rules to meet the needs and requirements of the end users. The Prisma Access Browser allows you to search and filter the events to discover and analyze user behavior patterns. At the top of the screen, you can search for specific events using specific data to help find a particular event. You can also narrow the list of events by filtering on any of the following Events screen columns:
    • Time—Select a predefined time period for which to display events, or create a Custom time period.
    • Category—Narrow down the type of events displayed by selecting one or more categories. Available event categories include:
      • Access—Events involving access to websites and apps.
      • DLP—Events involving file upload, file download, and clipboard controls (copy/paste)
      • Extensions—Events involving installation, removal, enabling, and disabling extensions.
      • PIN Code—Events involving access to apps and features that require a PIN code or authorization.
      • Malware—Incidents involving attempted access to malicious websites.
      • Tampering—Incidents involving unauthorized file tampering.
    • Type—The type of action that triggered the event log. The event types vary by category.
    • URL—The URL associated with the event.
    • App/Extension—The application or extension associated with the event.
    • Action—The action that is associated with the event.
    • User—The user associated with the event.
    • MITRE—The MITRE ATT&CK technique related to the event.
    • Policy rule—The policy rule that generated the event.
    • Recording—Indicates if a recording is available.
    You can also add additional filters to narrow down the events to display:
    • Event recordings—Show only events that have screen recordings.
    • Web classifications—Filter by types of web applications controlled by the policy rule that triggered the event.
    • Device—Filter events based on the device where the event originated.
    • Browser brand—Filter the events by the browser brand.
    • Browser version—Filter the events based on the version of the browser where the event originated.
    • Browser type—Filter the events based on the browser where the event originated.
    • Device groups—Filter the events by the device group.
    • OS platform—Filter the event based on the operating system on the device where the event originated.
    • User group—Filter the events based on the user group to which the users belong.
    • MITRE—Filter the events based on the MITRE ATT&CK Mitigation resource.
    • Compliance—Compliance Filter the events based on compliance issues (for example HIPAA, SOC 2, PCI DSS).
    • Mode—The behavior of the policy rule as applied to end users.
    • Is incident—Filter whether or not the event is an incident.
  3. Click into an event to view details about the event.
    From here you can also drill down into the raw data for the event.
  4. Export events for offline investigation.
    1. Click the Export icon.
    2. In the Export window, select one of the following options:
      • Export all available events—Export all the events in the database (up to a maximum of the 10,000 most recent events).
      • Export filtered or searched events—Export events based on the current filters.

Screen Recordings

This task describes how to use screen recordings.
You can configure the Prisma Access Browser to take screen recordings of certain preselected rules. This allows you to monitor and manage the way that your users work with the browser.
The recordings are based solely on the information that you configure to provide more enhanced visibility and monitoring. The information belongs to you. Neither Palo Alto Networks not its employees have access to the recordings.
The recordings show all the mouse clicks and keyboard actions that are made when the selected rule is engaged. The recording will include a few seconds before the action to a few seconds afterwards.

Enable Screen Recordings

  1. Create or edit an Access & Data Control rule.
  2. At the Log Level step, select Enhanced.
    Once this is done, every time the rule is triggered, there will be a short recording.

Viewing Screen Recording

  1. The short screen recordings are available in the Event Viewer. Locate the event that contains the recording and click the icon under Recording.
  2. The recording will display in a separate window.
    The mouse movements are tracked on the screen and displayed in red lines, so that you can see exactly where the user scrolled.

Screen Recording Retention Policy

This task describes the retention policy for the screen recordings.
Palo Alto Networks retains the screen recordings for an indefinite length of time in our own storage. This means that you can review the user's actions long after the actual event took place. The storage is