Prisma Access Browser
Investigate Prisma Access Browser Events
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Investigate Prisma Access Browser Events
Use the Prisma Access Browser Events log to monitor activity within your Enterprise
Browser deployment.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The Prisma Access Browser Events screen is the key visibility tool for investigating
every activity within your Enterprise Browser deployment. Use this screen to assess
the state of your current deployment and ensure that your policy is working as
expected. From here, you can fine-tune the rules that define what actions you allow
your users to perform within the applications you allow. For example, suppose you
have set rules to block file downloads, but have enabled users to bypass this rule
and proceed anyway. From the Events screen, you can see every bypass event and
determine whether you need to refine the rule.
You can also view the browser events and audit logs from Strata Cloud Manager
Log Viewer. These
logs in Strata Logging Service can be
forwarded to Amazon Security Lake, AWS S3, and Snowflake.
To review Prisma Access Browser events:
- From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserAnalyticsEvents.You can see the total number of events displayed at the top of the page. By default, the Events screen displays the 50 most recent events. Click Load 50 More to move to the next page of events.Investigate events using search and filters.An important part of your role with the Prisma Access Browser is analyzing events, and looking for patterns and anomalies in user behavior. Whenever you notice unexpected or unusual activity, you need to see if you need to tune the rules to meet the needs and requirements of the end users. The Prisma Access Browser allows you to search and filter the events to discover and analyze user behavior patterns. At the top of the screen, you can search for specific events using specific data to help find a particular event. You can also narrow the list of events by filtering on any of the following Events screen columns:
- Time—Select a predefined time period for which to display events, or create a Custom time period.
- Category—Narrow down the type of events displayed by selecting
one or more categories. Available event categories include:
- Access—Events involving access to websites and apps.
- DLP—Events involving file upload, file download, and clipboard controls (copy/paste)
- Extensions—Events involving installation, removal, enabling, and disabling extensions.
- PIN Code—Events involving access to apps and features that require a PIN code or authorization.
- Malware—Incidents involving attempted access to malicious websites.
- Tampering—Incidents involving unauthorized file tampering.
- Type—The type of action that triggered the event log. The event types vary by category.
- URL—The URL associated with the event.
- App/Extension—The application or extension associated with the event.
- Action—The action that is associated with the event.
- User—The user associated with the event.
- MITRE—The MITRE ATT&CK technique related to the event.
- Policy rule—The policy rule that generated the event.
- Recording—Indicates if a recording is available.
You can also add additional filters to narrow down the events to display:- Event recordings—Show only events that have screen recordings.
- Web classifications—Filter by types of web applications controlled by the policy rule that triggered the event.
- Device—Filter events based on the device where the event originated.
- Browser brand—Filter the events by the browser brand.
- Browser version—Filter the events based on the version of the browser where the event originated.
- Browser type—Filter the events based on the browser where the event originated.
- Device groups—Filter the events by the device group.
- OS platform—Filter the event based on the operating system on the device where the event originated.
- User group—Filter the events based on the user group to which the users belong.
- MITRE—Filter the events based on the MITRE ATT&CK Mitigation resource.
- Compliance—Compliance Filter the events based on compliance issues (for example HIPAA, SOC 2, PCI DSS).
- Mode—The behavior of the policy rule as applied to end users.
- Is incident—Filter whether or not the event is an incident.
Click into an event to view details about the event.From here you can also drill down into the raw data for the event.Export events for offline investigation.- Click the Export icon.In the Export window, select one of the following options:
- Export all available events—Export all the events in the database (up to a maximum of the 10,000 most recent events).
- Export filtered or searched events—Export events based on the current filters.
Screen Recordings
This task describes how to use screen recordings. You can configure the Prisma Access Browser to take screen recordings of certain preselected rules. This allows you to monitor and manage the way that your users work with the browser.The recordings are based solely on the information that you configure to provide more enhanced visibility and monitoring. The information belongs to you. Neither Palo Alto Networks not its employees have access to the recordings.The recordings show all the mouse clicks and keyboard actions that are made when the selected rule is engaged. The recording will include a few seconds before the action to a few seconds afterwards.Enable Screen Recordings
- Create or edit an Access & Data Control rule.At the Log Level step, select Enhanced.Once this is done, every time the rule is triggered, there will be a short recording.
Viewing Screen Recording
- The short screen recordings are available in the Event Viewer. Locate the event that contains the recording and click the icon under Recording.The recording will display in a separate window.The mouse movements are tracked on the screen and displayed in red lines, so that you can see exactly where the user scrolled.
Screen Recording Retention Policy
This task describes the retention policy for the screen recordings. Palo Alto Networks retains the screen recordings for an indefinite length of time in our own storage. This means that you can review the user's actions long after the actual event took place. The storage is