Behavior Threats Administration
  • Behavior Threats Administration
  • SaaS Security Documentation
  • All Documentation
>
View Details for the Most Risky Users
Focus
Download PDF
Focus
  1. Home
  2. SaaS Security
  3. View Threats and Incidents
  4. View Details for the Most Risky Users
Download PDF
SaaS Security

View Details for the Most Risky Users

Table of Contents

View Details for the Most Risky Users

Get visibility into the most risky users on your tenant, based on the number and severity of threat incidents logged by Behavior Threats.

View the Most Risky Users

The Behavior Threats dashboard displays the most risky users on your tenant. The most risky users are those with the highest risk scores for your organization. Investigate these most risky users to determine if they pose a threat to your organization.
  1. Log in to Strata Cloud Manager.
  2. Select to ManageConfigurationSaaS SecurityBehavior Threats.
  3. View details for each of the Top 3 Risky Users. The details include more information about the threat incidents associated with the user. Investigate any suspicious activity and take action as needed.
    LLM Powered User Risk Summary
    Behavior Threats provides an LLM-powered user risk summary of the top 0.1% of risky users. This summary provides detailed insights into unusual activities, data access patterns, and potential security concerns even when incidents are not generated, enabling security administrators like you to understand and assess user risk more effectively.
    In the following example, a mouse hover on Rachel's risk score displays the LLM-powered risk summary.
    If you want to monitor a user more closely, you can add them to the watchlist.
  4. After investigating the Top 3 Risky Users, you can View All Risky Users. View details for these users and take action as needed.

View the Most Risky Users for Individual Policies

The Policies tab on the Behavior Threats dashboard shows the most risky users for each policy. These risky users are the users with the highest risk scores who are associated with threat incidents for the policy.
  1. Navigate to the Behavior Threats dashboard.
  2. Navigate to Policies.
    You can display the Policies in a grid view or a list view. By default, the policies display in a grid view.
  3. In the Policies grid, locate the policy that you're interested in and view the Top 3 Risky Users for the policy.
    The displayed information includes the user's risk score and the number of threat incidents associated with the user for the policy.
  4. View details for each of the Top 3 Risky Users. The details include more information about the threat incidents associated with the user. Investigate any suspicious activity and take action as needed.
    If you want to monitor a user more closely, you can add them to the watchlist.
  5. After investigating the Top 3 Risky Users, you can view all risky users for the policy. View details for these users and take action as needed.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.