Activity Insights: Users
Focus
Focus
Strata Cloud Manager

Activity Insights: Users

Table of Contents

Activity Insights: Users

Monitor user activity in your Prisma Access and NGFW environments.
Where Can I Use This?What Do I Need?
  • Prisma Access
    (with Strata Cloud Manager or Panorama configuration management)
  • NGFWs
    (with Strata Cloud Manager or Panorama configuration management)
You must have at least one of these licenses to use the Activity Insights:The other licenses needed to view the Activity Insights: Users tab are:
  • Strata Logging Service
  • Advanced URL Filtering license
  • Cloud Identity Engine license
  • Advanced Threat Prevention license
  • ADEM Observability will unlock additional Prisma Access features
Monitor user activity in your Prisma Access and NGFW environments. You can view data for users who connect to Prisma Access and NGFW security services either through the GlobalProtect app on their devices or through Explicit Proxy through a web browser on their devices. Monitoring the user activity helps to detect and stop potential threats, protect misuse of sensitive information, and adjust your Security policy rule to close security gaps.
You can filter the user data based on:
  • Deployment; Prisma Access, NGFW
  • Connection methods and versions; GlobalProtect, Explicit Proxy, Prisma Access Browser
  • Username
  • Device name
  • Traffic originating location and Prisma Access locations
  • Applications accessed by users and user experience score filters
View the following details here:
  • Connected/Active Users - Monitor aggregated data about your currently connected GlobalProtect, Explicit Proxy Mobile Users, and Prisma Access Browser.
    View the number of users connected to your network at the time the data was fetched or as indicated in the timestamp. You can View Trend by Users or by User Devices. Select the number to see the Connected Users | Connected User Devices table for details about all connected users and all of their devices.
    View Dynamic Privilege Access data in View Trend by Users or by User Devices, Connected Users | Connected User Devices, and Project Distribution by Theater.
  • Monitored Users - View the total number of users or user devices monitored by ADEM and their average user experience, which is the experience score aggregated across all users monitored on ADEM. Click the number to view the user activity details in relation to user experience.
  • Risky Users - View the number of users impacted by threats. The Up or Down arrow compares this time range with a previous time range to determine the difference, in percentage, of the number of connected devices. Select View More Details for GlobalProtect Versions or IP Pool Utilization to see details about risky users in your environment.
  • GlobalProtect Version Details shows the GlobalProtect versions that are installed on your devices. You can see how many users are connecting with each version. Use the data to enforce compliance with the latest GlobalProtect app version. Hover over the Distribution Trend lines to see the IP addresses of users connected at that time.
  • See IP pool utilization by different IP pool allocation theaters based on the number of connected users at that time. The IP pool utilization percentage on the graph is the number of IP pool blocks used out of all the IP pool blocks that are available across all the subnets. You can take proactive action by adding subnets when you see an IP pool bar approaching the maximum capacity for any region.
  • The Users table displays information about the users logged in during the Time Range Click the username to get visibility into an individual users’ browsing patterns: their most frequently visited sites, the sites with which they’re transferring data, and attempts to access high-risk sites.
    • Threats
      • Browsing summary - See the numbers for the types of sites with which the user had the most data transfer and number of site visits by the user.
      • Top 10 Most Visited URL Categories - View the top URL categories for the user based on data transfer. You can also see the number of unique URLs visited that fall into each URL category.
      • URL Browsing Summary - Out of the unique URLs visited by the user, watch out for visits to malicious and high-risk URLs — these sites can expose your network to threats, data loss, and compliance violations. If you see more visits to these sites than you’d expect, adjust your Security policy rule to close the gaps.
      • Top 10 URLs - Review the risk level for the most frequently visited sites by the user. High-risk URLs need to be monitored as they are likely to expose your network to threats.
      • Blocked URLs by Risk - These are the blocked URLs that the user most frequently attempted to access. Review the URL filtering logs and see if you need to adjust the security policy rule to change the action.
      • Severe Threats - View the total threats detected for the user and the numbers based on the severity of the threats. Compare the number with other users. Adjust the security policy rule if the numbers are unusually high.
      • Top Severe Threats - These are the threats most frequently detected for the user.
    • Connectivity - shows the trend of devices that the user is logged into during a specific time period and the device connection details for every user login and logout event.
    • Experience - provides the user experience data for the device, the experience score and trend for each of the monitored applications, and performance metric for the monitored user and applications for individual devices.
  • Prisma Access Browser - Select the Prisma Access Browser Connection Method to view information about your Prisma Access Browser users.
    The Prisma Access Browser Users activity trend chart shows the number of users who have been active at some point in the selected time range filter. The chart shows the breakdown of these active users' devices installed with a Prisma Access connectivity agent (managed devices) and without any agent (unmanaged) users.
    The Prisma Access Browser offers unmatched visibility into a browser user's actions, indicating whether the user's actions on their device in regard to the enterprise's data assets are allowed or blocked by the enterprise's DLP policy. The Blocked DLP PA Browser Events widget shows events indicating user actions performed on the browser that are blocked by policy.
    The Prisma Access Browser Users table shows the list of active users accessing applications through the Prisma Access Browser. Click any User Name to see this user's Activity in the User DetailsActivity page.
    The Prisma Access Browser Event Summary page lists all browser actions performed by the user through the browser in the selected time interval. The default view of the PA Browser Events table shows the list of all DLP Browser Events whether allowed or blocked by policy. You can switch the views to other event categories, such as Access Events, Posture Events, or Malicious Events by selecting the appropriate event category. In each Event category, you can view the breakdown of event types, along with the timestamp showing when the browser event was performed, information about the accessed application URL, the application name, and any relevant associated MITRE Attack note.
Reports - You cannot generate a report that covers the data in this view. However, you can use the User Activity report to view activity specific to a user in your network. To schedule a report from the Strata Cloud ManagerReports menu, click the
icon and select Users from the Type drop-down.