Add a New User Activity Rule

To add a new user activity rule:
  1. Add a new rule.
    1. Select
      Policy
      User Activity Rules
      New Rule
      .
  2. Define the basic settings.
    1. Enter a
      Name
      for the rule.
    2. (Optional)
      Enter a
      Description
      for the rule.
    3. Specify a
      Severity
      for the rule ranging from 1 to 5, with 5 representing the highest risk type of incident.
  3. Specify the
    Items to Detect
    .
    1. Select one of the following:
      • Users
        —Applies the policy rule to users.
      • Assets (such as files or folders)
        —Applies the policy rule to assets.
    2. (Optional)
      Manage Exceptions
      for the rule. Enter the users or assets you want to exclude from the rule. For example, you might want to exclude Prisma SaaS administrators from user activity monitoring.
  4. Specify the match criteria for the activity.
  5. Verify that an action is enabled.
    Choices include:
    • Log Only
      (default)—Log the policy violation.
    • Send admin alert
      —For policy violations that require immediate action, send an email alert. Prisma SaaS can send up to five emails per hour on matches against each policy rule.
  6. Verify that the policy rule is enabled.
    In
    Basics
    , verify that the
    Status
    is
    Enabled
    . A rule can be in the enabled or disabled state. After you add a new rule, you must enable the rule.
  7. Save your new policy rule.
    Save
    your changes.
    Prisma SaaS starts scanning files against the policy rule as soon as you save the changes. After the scan starts, you can start View Policy Violations for User Activity.

Related Documentation