>
    Strata Copilot
    Security Control Policies
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Data Security Administration
    4. Manage Policy for Sanctioned SaaS Apps in Data Security
    5. Security Control Policies
    Download PDF
    SaaS Security

    Security Control Policies

    Table of Contents

    Security Control Policies

    Learn about the security control policies on Data Security.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Data Security license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    Security control policies on Data Security enable you to define and enforce policies for monitoring settings and activities so you can automatically detect and remediate risks around data exfiltration, exposure, or risky user behavior.

    Add a New Security Control Policy

    Learn how to enable security control policies on Data Security.
    Add a new security control policies to monitor activities. For example, you can create a policy that sends an email alert or creates a log entry when a user forwards a corporate email to a personal email address. Security control policies include a robust set of match criteria that enable you to precisely define which settings and activities to track.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationSaaS SecurityData SecurityPoliciesSecurity Control PoliciesAdd Policy.
    3. Define the basic settings.
      1. Enter a Policy Name for the policy.
      2. (Optional) Enter a Description for the policy.
      3. Specify the Severity for the policy. Severity ranges from Very Low, Low, Medium, High, and Critical.
      4. Enable or disable the Status.
      5. Under Security Control Criteria, by default the Application Type is Email Applications.
      6. Select your Sanctioned Applications from the drop-down list.
      7. Select one of the following from the Setting Type.
        SaaS Security web interface dynamically displays the cloud apps that support the setting you select.
        Setting Type
        Description
        Administrative Access
        Identifies administrators who have access to an end users inbox. The Admin Email lists the email address of the administrator and the User Email lists the email address of the user whose inbox can be accessed by the administrator.
        Email Forwarding Rule
        Identifies Corporate emails that are forwarded to personal email domains. Rule Name identifies the email forwarded and the email address is listed in Forwarded Email Address. Add a comma-separated list of domains to consider as risky in Risky Domains.
        Currently, Microsoft Exchange connector detects only Inbox Rules (OutlookSettingsMailRules).
        Email Public Folder
        Identifies exposed public folders that users can access within the Enterprise, and Folder Name and Folder Owner to exclude.
        This option will be deprecated for Microsoft Exchange connector in October 2026.
        Email Retention
        Identifies user-generated email retention settings that vary from the Corporate Administrator policy settings.
        This option will be deprecated for Microsoft Exchange connector in October 2026.
        Setting Options with Exclude are Optional.
      8. The ADVANCED OPTIONS (OPTIONAL) for the above setting types are as follows:
        • Administrative Access
          • Excluded Administrator Email Addresses: Add a comma-separated list of administrators that should not be flagged as risky
          • Excluded End-User Email Addresses: Add a comma-separated list of end-users that should not be flagged as risky
        • Email Forwarding Rule
          • Excluded Users: Add a comma-separated list of user email addresses to exclude from this rule
          • Excluded Rules for Exchange only
        • Email Public Folder
          • Excluded Folders: Add a comma-separated list of folder names to exclude from this rule
          • Excluded Folder Owners: Add a comma-separated list of folder owner email addresses to exclude from this rule
        • Email Retention
          • Excluded Users: Add a comma-separated list of user email addresses to exclude from this rule
      9. Under Actions, choose either Send Administrator Alert or Log only.
      10. Save Policy to create your new security control policy.
    4. Verify the Security Control policy is enabled.
      After saving, the policy is listed on the Security Control Policy under Enabled or Disabled. Data Security starts scanning files against the policy as soon as you save the changes. After the scan starts, you can start to View Policy Violations for Security Controls.

    View Policy Violations for Security Controls

    Learn how to use the Security Control policy log to investigate policy violations for security controls.
    After connecting to a SaaS app, Data Security begins scanning and matching activities and settings against enabled security controls.
    The default action for a security control policy is to generate a log for a discovered violation, though you can configure Data Security to send administrator alert as an action instead. Use this log to investigate policy violations for security controls. To view policy violations for security controls, select ConfigurationSaaS SecurityData SecurityIncidentsSecurity Control Incidents.

    © 2026 Palo Alto Networks, Inc. All rights reserved.