Assess New Incidents

Prisma SaaS compiles a summary of incidents for you to view, assess and address by further investigation or closure.
Prisma SaaS compares all information it discovers against the enabled data patterns and active policy rules and identifies all violations and exposures for every asset across all cloud apps. The service then sorts the violations by severity so you can assess and either close or address them. After the initial discovery and remediation process, you should never see the same incidents again.
  1. Select
    Dashboard
    and view open
    Incidents
    to see a summary of policy rules with the number of open violations, any new incidents discovered in the last seven days, and the number of resolved incidents.
    dashboard-incident-pane.png
  2. Drill down into the incidents associated with a policy rule by clicking the corresponding link or
    View All Open Incidents
    , which takes you to a list of all open incidents where you can narrow your search results further or edit multiple incidents at once.
    • Select
      Display
      to customize the columns displaying incident information.
    • To filter Incidents and pinpoint risks, you can enter keywords to search for, such as a file name or part of a file name, sort each column by ascending or descending data, or you can use the built-in filters to see different views.
    • Click
      Export CSV
      to download the current view of incidents in a comma-separated list.
    • Use
      Actions
      to select and change the status of or assign up to 1000 incidents to another admin. You can view status changes in Remediation Activity Logs and incident assignment updates in the Admin Activity Logs.
    filter-incidents.png
  3. Drill down into a particular asset by clicking on the
    Item Name
    . Asset Details displays basic info, the policy rule the asset violated, a snippet of the file with the risky content highlighted, if available, and a link to the asset in the associated cloud app so you can get more context into the incident.
    incident-details.png
  4. In
    Actions
    , depending on the asset type and cloud app, you can open the asset, quarantine, explore the hierarchy of the file, send an email to the owner, download the file, or apply classification labels to third-party apps.
    asset-details-applying-classifications.png
  5. To filter incidents associated with users, click
    Explore
    People
    , select
    Internal Users
    or
    External Users
    , and scan the columns for
    Owned Items
    and
    Collaboration Items
    to identify users with a pattern of risky behavior. Click the value in a column to view their email, any cloud applications used, role, and activity as well as
    More Info
    to see detailed information associated with the user.
    incident-details-collaborators.png
  6. After you understand the incidents and the context around them, you can start to address incidents. If you have several incidents to resolve, you can configure Automatic Remediation for most of the cloud apps. There are several ways to remediate an incident:

Related Documentation