Events

The Events screen provides a detailed view of user interactions with generative AI applications and agents. While the Overview page shows which services are active and their overall usage, the Events view drills down into what actually happened during each session.

A Workforce AI Security event is created whenever a user performs an interaction with an AI application (web, desktop, or MCP-based agent) that Workforce AI Security monitors.

These interactions include:

  • File upload / file interaction

  • Prompts entered by users

  • Text inputs (text control)

You can also forward Workforce AI Security events to an external SIEM platform for centralized monitoring, correlation, and long‑term retention. For more information, see Event Forwarding in the Check Point Portal Administration Guide.

Events for Chats and Agentic Platforms

In the Events page, select:

  • Chats - to see user interactions with AI chats, including:

    • Session classification (Use case, DLP found)

    • Risk scoring

    • The policy enforcement action applied (for example, Prevent, Redact, or Ask)

  • Agentic - to see the behavior of agentic platforms (MCP), including:

    • MCP tools used

    • Triggered policies and their outcomes

    • Types of sensitive data involved in events

    • Risk scoring

Use the Events screen to:

  • Investigate individual activities within AI sessions.

  • Verify compliance with organizational policies.

  • Identify potential security risks or data exposure incidents.

Interactions List

The Events screen displays a chronological list of recent user or agentic interactions with AI apps, with each row represents a specific interaction within an AI application or MCP server. Use Filter to show only specific events.

  • Click an event to see its details.

Name

Description

Application

Name of the applications the user interacts with.

Type

Web or desktop application.

Time

Date on which the user session was performed.

User

Name of the user initiating the interaction.

User Actions

The action taken by the user during the session. It shows whether the user pasted text.
Risk The event risk level assessed by Workforce AI Security.

Use Case

Names of the categories associated with the event.

Action

  • For prompts: Allow, Ask, Block, Prevent, Redact

  • For files: Allow, Ask, Block, Prevent

  • For pasted text: Allow, Ask, Block, Prevent, Detect

  • For MCP: Block, Allow

For more information on the policies, see Policy Action Behaviors

Description

Resolution according to the applied policy.

Policy Name

Rule name for the relevant policy.

Reason

Summary of the user prompt and intent with the AI interactions.
Content Source The source of the content in the session.

Sensitive Data

Types of sensitive information exposed in the session.

File Names

Files used with the prompt (name, type, size).

Prompt

Users with administrative permissions can view the session prompt. Workforce AI Security hides prompt that contains no sensitive information or risk. For more information about permissions, see Roles.

From the Events screen, administrators can:

  • Understand user behavior – See how employees interact with AI tools.

  • Validate policy effectiveness – Confirm whether Access and DLP policies are applied correctly.

  • Support compliance audits – Export or review event logs for governance and reporting.

After identifying active applications in the Applications screen, use the Events screen to:

  • Drill down into specific sessions.

  • Review detailed actions and enforcement outcomes.

  • Decide if additional policies or restrictions are needed.

Policy Action Behaviors

Policy

Short Description

Behavior

Data Flow Data Control

Allow

Always allow the action

Accepts the entered data without restrictions. Action proceeds normally.

Allowed

Not restricted

Ask

User must confirm

Prompts the user to approve or cancel the action before proceeding.

Conditional

Conditional

Block

Do not allow the action

Rejects the entered data and stops the action.

Not allowed

Attempt blocked

Detect

Log the event only

Identifies and records the data event without changing or interrupting the action.

Allowed

Not restricted

Prevent

Strictly block the action

Actively stops the action and may disable the ability to submit data.

Not allowed

Action disabled

Redact

Remove sensitive data

Allows the action but removes or masks sensitive information before processing.

Sanitized only

Sensitive data

When a user triggers an Ask policy, a dialog window is displayed in the chat. The window notifies the user that their message contains sensitive information, such as a phone number, and asks if they want to continue. If the user chooses to proceed, they must enter a justification, which is logged by Workforce AI Security for compliance.

This process documents all policy exceptions for audit and compliance review.

Filtering the Events

In the application events table, you can search and filter specific events related to a particular application.

To filter the list of events, do one of these:

  • Use the free text search for strings across all fields.

  • To filter events for a specific type, click the Filter icon and select the required fields.