>
    Strata Copilot
    Static Policies to Detect Threats
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Policies to Detect Threats
    4. Static Policies to Detect Threats
    Download PDF
    SaaS Security

    Static Policies to Detect Threats

    Table of Contents

    Static Policies to Detect Threats

    Learn about the static policies in Behavior Threats for identifying potential threats.
    We initially introduced the static policies as predefined user activity policies in the Data Security product. These predefined policies are no longer available for newly provisioned tenants and will be deprecated for all tenants from May 30, 2025. If you're currently using the legacy predefined policies in Data Security, we recommend that you transition to the new static policies in Behavior Threats provided in this section. By transitioning to Behavior Threats static policies, you ensure continued functionality and access to the latest features. See the LIVEcommunity blog for a detailed explanation of this transition.
    Static Policies
    Policy NameDescription
    Inactive Account Access
    Instructs Behavior Threats to show when a user accesses an app by using an inactive account. This policy considers an account inactive if the account wasn’t accessed in over 30 days. Inactive account access might indicate that the user’s account was breached.
    Impossible Traveler
    Instructs Behavior Threats to show when a user accesses an app from different locations within a time frame that couldn’t accommodate travel between the locations. This policy determines the locations by IP addresses. This impossible travel might indicate that the user’s account is compromised.
    In addition to the Allowed list of IP addresses, you can add custom IP addresses to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ManageConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses to be excluded. However, these IP addresses that you add are applicable only for static policies and not dynamic policies.
    Login Failures
    Instructs Behavior Threats to show when a user has multiple failed login attempts to an app. Multiple login failures might indicate an attempt to breach the user account.
    For this policy, Behavior Threats logs incidents if there are more than 5 consecutive failed login attempts within 30 minutes.
    Malware Detection
    Instructs Behavior Threats to show when a user interacts with a file that contains malware. This activity might identify a malicious user and is a threat to your organization.
    Risky IPs
    Instructs Behavior Threats to show when a user accesses an app from a suspicious IP address. Suspicious IP addresses include malicious IP addresses identified by Unit 42, the Palo Alto Networks threat intelligence team. Suspicious IP addresses also include IP addresses of known Tor exit nodes and IP addresses belonging to Bulletproof Hosting Providers (BHPs). Access from a risky IP address likely indicates that the user’s account was breached.
    You can add custom IP addresses to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ManageConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses to be excluded. However, these IP addresses that you add are applicable only for static policies and not dynamic policies.
    Unsafe Location
    Instructs Behavior Threats to show when a user accesses an app from a country that the United States Department of the Treasury considers unsafe. These countries are considered unsafe because they are known origins of cyber attacks. User access from an unsafe location likely indicates that the user’s account was breached.
    You can add custom IP addresses to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ManageConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses to be excluded. However, these IP addresses that you add are applicable only for static policies and not dynamic policies.
    Unsafe VPN
    Instructs Behavior Threats to show when a user accesses an app from an unauthorized or unsanctioned VPN. These unsafe VPNs include personal VPNs and known consumer VPNs. The use of an unsafe VPN might indicate that the user is hiding their IP address to avoid auditing and tracking. The use of an unsafe VPN might also indicate that a malicious actor is attempting to decrypt traffic to steal user credentials.
    You can add custom IP addresses to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ManageConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses to be excluded. However, these IP addresses that you add are applicable only for static policies and not dynamic policies.

    © 2025 Palo Alto Networks, Inc. All rights reserved.