Add a New User Activity Rule

Learn how to create a new user activity rule.
User activity rules enable you to track user activities that compromise your organization. For example, you can create a rule that sends an email alert or creates an activity monitoring log entry when a user downloads a large number of reports, or when a user tries to access an SaaS application from a malicious IP address. For additional examples, refer to Examples of User Activity Rules.
  1. Add a new rule.
    1. Select
      User Activity Rules
      New Rule
  2. Define the basic settings.
    1. Enter a
      for the rule.
    2. (Optional)
      Enter a
      for the rule.
    3. Specify a
      for the rule ranging from 1 to 5, with 5 representing the highest risk type of incident.
  3. Specify the
    Items to Detect
    1. Select one of the following:
      • Users
        —Applies the policy rule to users.
      • Assets (such as files or folders)
        —Applies the policy rule to assets.
    2. (Optional)
      Manage Exceptions
      for the rule. Enter the users or assets you want to exclude from the rule. For example, you might want to exclude Prisma SaaS administrators from user activity monitoring.
  4. Specify the match criteria for the activity.
  5. Verify that an action is enabled.
    Choices include:
    • Log Only
      (default)—Log the policy violation.
    • Send admin alert
      —For policy violations that require immediate action, send an email alert. Prisma SaaS can send up to five emails per hour on matches against each policy rule.
  6. Verify that the policy rule is enabled.
    , verify that the
    . A rule can be in the enabled or disabled state. After you add a new rule, you must enable the rule.
  7. Save your new policy rule.
    your changes.
    Prisma SaaS starts scanning files against the policy rule as soon as you save the changes. After the scan starts, you can start View Policy Violations for User Activity.

Recommended For You