>
    Strata Copilot
    Match Criteria for User Activity Policies
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Manage Policy for Sanctioned SaaS Apps in Data Security
    4. User Activity Policies
    5. Match Criteria for User Activity Policies
    Download PDF
    SaaS Security

    Match Criteria for User Activity Policies

    Table of Contents

    Match Criteria for User Activity Policies

    Learn about the match criteria available for user activity policies on Data Security.
    When you create a user activity policy, you need to specify match criteria. The following table lists the match criteria for user activity policies on Data Security.
    Match Criteria
    Description
    Sanctioned Applications
    List of accessible applications to scan. By default, all cloud apps you added to Data Security are scanned, but you can restrict scans to specific apps.
    User Activity
    List of activities to monitor. For example, activities can include Create, Download,Edit, Delete, Authorize, Upload, Join, or more. You can include multiple activities in a policy.
    User Activity Frequency
    The count and frequency of the activity that will trigger a policy violation. For example, ten (or more) times a week, or two (or more) times per day.
    User (Actor)
    Users whose perform the activities. By default, all users in all domains are included. Alternatively, you can:
    • Email Address— Include an email address for each user to monitor. Use commas to separate each address in the list.
    • Domain—Include (or exclude) a subset of users based on domains. Use commas to separate each domain in the list.
    Domain
    The domain where the activity occurs. Choices include:
    • Any Domain (default)—Activities in all domains.
    • Specific Domains—Activities in specific domains. You can select multiple domains from the list.
    • Any Domain Except—Activities in all domains, except the ones you select.
    Location
    The location where the activity occurs. Choices include:
    • Any Country (default)—Activities in all countries.
    • Any Country Except—Activities in all countries, except the ones you select.
    • Specific Countries only—Activities in specific countries. You can select multiple countries from the list.
    You can choose a maximum of 28 countries from the given list.
    IP Address
    The IP address where the activity was initiated. Choices include:
    • Any IP Address—Activities initiated from any IP address.
    • Any IP Address Except—Activities initiated from all IP addresses, except the ones you specify.
    • Specific IP Addresses only—Activities initiated from specific IP addresses.
    Use commas to separate multiple IP addresses.
    TARGETS (OPTIONAL)
    The Name and Type of target for the user activity. For example, a target could be any user activity that impacts a Super Admin (target name) Password (target type). Or, any user activity associated with a Client List (target name) Report (target type).
    You can Add a Target to include multiple targets in a policy. For example, activities that add Users (target) to Teams (target), or activities that share Links (target) with Users (target) would include two targets in the policy.
    Folder alerts you when the user activity occurs on any file contained in the folder. Folder File alerts you when there is user activity on the specific file defined in the Name.
    The targets available depend on your SaaS app. If a specific target does not display in Explore > Activities, then the event isn't supported for your SaaS app and, therefore, you can't define it in a policy.

    © 2025 Palo Alto Networks, Inc. All rights reserved.