>
    Strata Copilot
    View All Threat Incidents
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. View Threats and Incidents
    4. View All Threat Incidents
    Download PDF
    SaaS Security

    View All Threat Incidents

    Table of Contents

    View All Threat Incidents

    The Incidents tab on the Behavior Threats page displays the threat incidents that Behavior Threats detected.
    1. Log in to Strata Cloud Manager.
    2. Select to ConfigurationSaaS SecurityBehavior ThreatsIncidents.
    3. In the Incidents table, review the information about the threat incidents.
      The displayed information includes the name of the policy that describes this type of incident, the severity of the incident, the user whose actions caused the incident, and the date that the incident occurred. You can sort the Incidents table according to any of these attributes by clicking the appropriate column.
    4. (Optional) Add Filter to the table to view only the incidents for a particular:
      • Severity (such as critical, high)
      • Situation type (such as a spike in activity, sensitive data transfer)
      • User
      • Policy Name (such as abnormal location access, bulk data downloads or uploads)
    5. (Optional) To view more information about the policy or user associated with the incident, click the name in the Policy Name or User column of the table.
    6. Click the incident Description to view in-depth details about a particular incident.
      • Incident Details
        This section provides a written summary of the incident that describes which user accessed which app, and why it generated an incident. Additionally, it provides the following information:
        • General Info—Describes the severity level of the incident, the user who generated the incident, the email of the user, and the last time the incident was updated.
        • Violation—Describes the violation situation, the name of the policy rule and policy rule type the incident generated against, and the action taken as configured in the policy rule.
        • Activity—(applicable for Static Rules only) Describes the activity that generated the incident and the number of individual events associated with the incident.
        • Provide Feedback—serves as a crucial mechanism that allows administrators to share feedback that can be used to fine-tune machine learning (ML) models and improve incident detection accuracy. Clicking the Provide Feedback button opens the Incident Feedback section, where you can select one or more of the following predefined categories:
          • Accurate identification: Use this to confirm that the ML model correctly identified the behavior as a genuine threat.
          • Inaccurate severity: Select this if the detection is correct, but the assigned risk level (Very Low, Low, Medium, High, Critical) does not match the actual risk to your organization.
          • Difficult to understand: Choose this if the logic behind the incident or the description is confusing.
          • Not enough detail: Use this if the incident report lacks the necessary context (for example, specific file names, timestamps, or user metadata) to perform a full investigation.
          • Poorly Formatted: Select this for UI/UX issues, such as text overlapping, broken links, or unreadable data tables within the incident report.
          In the How might we improve response? section, provide specific, open-ended suggestions on what information or remediation actions would have made the incident more meaningful and Submit.
      • Events
        Presents a bar graph displaying the total number of event counts associated with the incident, and the time each event occurred.
      • Incident List
        (Dynamic Policy Rules Only) You can filter and narrow down the list of incidents generated from predefined dynamic user activity policy rules based on the Application and Activity you want to investigate.
        A list of all events associated with the incident that includes the following information displays for both dynamic and static user activity policy rules.
        • Date and time the event occurred in YYYY-MM-DD:HH:MM:SS UTC format.
        • App associated with the incident.
        • Activity that occurred that generated the incident.
        • Location or region where the incident occurred.
        • Source IP address of the user who generated the incidents.
      Click the Incidents link at the top of the page to return to the Behavior Threats Incidents page.
    7. (Optional) Click the table's download icon to export a CSV file with a list of the incidents. The list will contain all incidents unless you applied a filter to the table.

    © 2026 Palo Alto Networks, Inc. All rights reserved.