Monitor and Investigate User Activity

Learn how to monitor and investigate user activity across all assets or a single asset.
On Prisma SaaS, you can view user activity across all assets, depending on your SaaS app. Using an API integration model, Prisma SaaS connects to each service and retrieves the user activity logs.
These logs enable you to monitor and investigate a variety of actions taken (activity or events) by your end users, including:
  • file and folder downloads
  • file and folder uploads
  • failed login attempts
  • sharing and collaboration
There are two different approaches to monitoring user activity: you can monitor activity across all assets or monitor activity for a single asset. The workflow you choose depends on your scope of investigation, but the filters and facets provided to explore the data are available at all times. Before you begin, however, determine if any of your SaaS apps have unique user activity requirements.

Monitor Activity Across All Assets

As part of your daily operations, you might need to investigate activity on a broad scale.
monitor-user-activity-across-assets.png
  1. Select
    Explore
    Activities
    .
  2. Filter the results to meet your audit needs.
  3. Export this data to a CSV file to review the activity logs offline.

Monitor Activity for a Single Asset

If a specific asset triggered an incident due to your organization’s policies, you might need to investigate that incident to determine the correct remediation action.
View All Related Activities
is supported on Box, Dropbox, and Google Drive only.
monitor-user-activity-single-asset.png
  1. Select
    Incidents
    Assets
    .
  2. Locate and click on the asset’s
    Item Name
    .
  3. Navigate to
    Who is accessing this File?
    and
    View All Related Activities
    .
    If there’s no activity, a
    No activity in the past 90 days
    message displays.
  4. Filter the results to meet your audit needs.
  5. Export this data to a CSV file to review the activity logs offline.

Monitor Activity within a Folder

If you want to view user activity for the files within a specific folder, there are some cloud apps that support this view.
monitor-user-activity-folder.png
  1. Select
    Explore
    Assets
    .
  2. Locate and click on the folder’s
    Item Name
    .
  3. Navigate to
    Events inside this folder
    .
  4. Export this data to a CSV file to review the activity logs offline.

Explore User Activity Results

Whether you want to explore the data set for activities for a single asset or across all assets, the filters and facets provided are the same. Use these tools to narrow and expand the results to meet your audit needs.
user-activity-actions.png
  • Date
    —Time frame when the user activity occurred. For example: past day, past week, past month, or past year.
  • Action
    —Activity the user initiated. For example, download, view, sync, share, upload, delete, and copy a file or folder, or login.
    By default, any activity log with action
    Other
    is not displayed on Prisma SaaS. To include all activity logs, hover-over
    Action
    to display
    Settings
    . Select
    Yes
    to
    Include activities whose action is unclassified?
    .
  • Cloud App
    —Lists the application on which the user activity occurred. For example, Box.
  • Target Type
    —Lists the location, user, or asset where an activity or change occurred. It allows you to learn about who did what, for example which user initiated an action on a file, space, or folder, or added a user, created a space, performed work on a report, or used the API.
  • Search
    —Find an item using part of the filename or find a user by the full email address. Because the user activity logs include information on the email address of the user who logged in, the source IP address and location of the user who performed the action, and the name of the item being modified or created, you can match on a phrase or email address.

Identify Risky Users

Learn how to identify risky users.
Just as you can assess risks by investigating user activity, Prisma SaaS also enables you to identify risks by users. It’s important to identify risk users so as to uncover the assets that pose a risk to your organization. For example, you can assess the risk of data leakage for untrusted users, external users, or former employees.
  1. Select
    Explore
    People
    .
  2. (
    Optional
    ) Apply a
    Cloud App
    filter.
  3. Select
    Internal Users
    or
    External Users
    .
  4. Observe columns for
    Owned Items
    and
    Collaboration Items
    to identify users with a pattern of risky behavior.
  5. Click the value in a column to view the user’s email, any cloud applications used, role, and activity as well as
    More Info
    to see detailed information associated with the user.
    people-page.png
  6. (
    Optional
    ) Click the CSV icon to export a CSV file with a list of all users and cloud applications used.

User Activity Requirements

Prisma SaaS supports user activity, depending on your cloud app. Some cloud apps have unique requirements to enable user activity.
SaaS App
Requirement
Google Drive
Google Apps Unlimited or Google Apps for Education subscription to enable the retrieval of all event logs. Without this additional subscription, only login and logout events are available to Prisma SaaS.
Salesforce
User Event Monitoring license to enable the retrieval of all event logs. Without this additional license, only log in and log out events are available to Prisma SaaS.
Office 365
You must turn on audit logs in Office 365 to record user and admin activity. This feature isn’t enabled by default. Prisma SaaS needs these audit logs to search and report on user activity.
  1. Log on to your Office 365 Admin account.
  2. Navigate to
    Security & Compliance Center
    Search
    Audit log search
    Turn on auditing
    .
user-activity-office365-enable.png

Recommended For You