Monitor and Investigate User Activity
Learn how to monitor and investigate user activity across all assets or a single asset.
On Prisma SaaS, you can view user activity across all assets, depending on your SaaS app. Using an API integration model, Prisma SaaS connects to each service and retrieves the user activity logs.
These logs enable you to monitor and investigate a variety of actions taken (activity or events) by your end users, including:
- file and folder downloads
- file and folder uploads
- failed login attempts
- sharing and collaboration
There are two different approaches to monitoring user activity: you can monitor activity across all assets or monitor activity for a single asset. The workflow you choose depends on your scope of investigation, but the filters and facets provided to explore the data are available at all times. Before you begin, however, determine if any of your SaaS apps have unique user activity requirements.
Monitor Activity for a Single Asset
If a specific asset triggered an incident due to your organization’s policies, you might need to investigate that incident to determine the correct remediation action.
View All Related Activitiesis supported on Box, Dropbox, and Google Drive only.
- Locate and click on the asset’sItem Name.
- Navigate toWho is accessing this File?andView All Related Activities.If there’s no activity, aNo activity in the past 90 daysmessage displays.
Monitor Activity within a Folder
If you want to view user activity for the files within a specific folder, there are some cloud apps that support this view.
- Locate and click on the folder’sItem Name.
- Navigate toEvents inside this folder.
Explore User Activity Results
- Date—Time frame when the user activity occurred. For example: past day, past week, past month, or past year.
- Action—Activity the user initiated. For example, download, view, sync, share, upload, delete, and copy a file or folder, or login.By default, any activity log with actionOtheris not displayed on Prisma SaaS. To include all activity logs, hover-overActionto displaySettings. SelectYestoInclude activities whose action is unclassified?.
- Cloud App—Lists the application on which the user activity occurred. For example, Box.
- Target Type—Lists the location, user, or asset where an activity or change occurred. It allows you to learn about who did what, for example which user initiated an action on a file, space, or folder, or added a user, created a space, performed work on a report, or used the API.
- Search—Find an item using part of the filename or find a user by the full email address. Because the user activity logs include information on the email address of the user who logged in, the source IP address and location of the user who performed the action, and the name of the item being modified or created, you can match on a phrase or email address.
Identify Risky Users
Learn how to identify risky users.
Just as you can assess risks by investigating user activity, Prisma SaaS also enables you to identify risks by users. It’s important to identify risk users so as to uncover the assets that pose a risk to your organization. For example, you can assess the risk of data leakage for untrusted users, external users, or former employees.
- (Optional) Apply aCloud Appfilter.
- SelectInternal UsersorExternal Users.
- Observe columns forOwned ItemsandCollaboration Itemsto identify users with a pattern of risky behavior.
- Click the value in a column to view the user’s email, any cloud applications used, role, and activity as well asMore Infoto see detailed information associated with the user.
- (Optional) Click the CSV icon to export a CSV file with a list of all users and cloud applications used.
User Activity Requirements
Prisma SaaS supports user activity, depending on your cloud app. Some cloud apps have unique requirements to enable user activity.
Google Apps Unlimited or Google Apps for Education subscription to enable the retrieval of all event logs. Without this additional subscription, only login and logout events are available to Prisma SaaS.
See also Fix Google Drive Monitoring Issues.
User Event Monitoring license to enable the retrieval of all event logs. Without this additional license, only log in and log out events are available to Prisma SaaS.
You must turn on audit logs in Office 365 to record user and admin activity. This feature isn’t enabled by default. Prisma SaaS needs these audit logs to search and report on user activity.
Recommended For You
Recommended videos not found.