>
    Predefined Policies to Detect Suspicious User Activity
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Manage Policy for Sanctioned SaaS Apps in Data Security
    4. User Activity Policies
    5. Predefined Policies to Detect Suspicious User Activity
    Download PDF
    SaaS Security

    Predefined Policies to Detect Suspicious User Activity

    Table of Contents

    Predefined Policies to Detect Suspicious User Activity

    Learn about the predefined policies that you can use to detect suspicious user activities.
    Policies for detecting suspicious user activity are now included in the Behavior Threats feature of SaaS Security. Specifically, the predefined policies in Data Security are now available as static policies in Behavior Threats. The following predefined policies mentioned in this section will not be available for newly provisioned tenants from May 30, 2025. By transitioning to the new Behavior Threats policies, you ensure continued functionality and access to the latest features. See the LIVEcommunity blog for a detailed explanation of this transition.
    Data Security provides predefined policies for detecting suspicious user activity. These activities might indicate attempts to steal or destroy data, or might indicate attempts to breach a user's account. These predefined policies are Disabled by default, but you can Enable them from the User Activities Policies page ( Data SecurityPoliciesUser Activity Policies).
    If a Suspicious User Activity policy is enabled, violations of the policy are logged as incidents.
    From the User Activity Policies page, you can edit the severity of a policy, but you cannot edit its match criteria. If you want to trigger policy violations based on different criteria, such as a different event count or frequency, contact customer support.
    The following predefined policies are available.
    Predefined Policy NameDescription
    Bulk Deletion
    Detects that a user deleted a large number of files or folders within a short time frame. Bulk deletion might be a malicious attempt to cause data loss.
    Data Security triggers a violation of this policy if a user deletes more than 20 unique files or folders within an hour.
    Bulk Download
    Detects that a user downloaded a large number of distinct files or folders within a short time frame. Bulk downloads might be an attempt to compromise your organization’s sensitive data.
    Data Security triggers a violation of this policy if a user downloads more than 20 unique files or folders within an hour.
    Bulk Sharing
    Detects that a user shared a large number of distinct files or folders within a short time frame. Bulk sharing might be an attempt to compromise your organization’s sensitive data.
    Data Security triggers a violation of this policy if a user shares more than 20 unique files or folders within an hour.
    Bulk Upload
    Detects that a user uploaded a large number of distinct files or folders within a short time frame. Bulk uploads might be an attempt to compromise your organization’s sensitive data.
    Data Security triggers a violation of this policy if a user uploads more than 20 unique files or folders within an hour.
    Impossible Traveler
    Detects that a user accessed an application from different locations within a time frame that could not accommodate travel between the locations. The locations are determined by IP addresses. This impossible travel might indicate that the user’s account is compromised.
    Inactive Account Access
    Detects that a user accessed an application by using an inactive account. An account is considered inactive if it was not accessed in over 30 days. Inactive account access might indicate that the user’s account was breached.
    Login Failure
    Detects multiple failed login attempts to an application by a user. Multiple login failures might indicate an attempt to breach the user account.
    Data Security triggers a violation of this policy if there are more than 5 consecutive failed login attempts within 30 minutes.
    Malware
    Detects user activity on a file that contains malware. This activity might identify a malicious user and is a threat to your organization.
    Risky IPs
    Detects that a user accessed an application from a suspicious IP address. Suspicious IP addresses include malicious IP addresses identified by Unit 42, the Palo Alto Networks threat intelligence team. Suspicious IP addresses also include IP addresses of known Tor exit nodes and IP addresses belonging to Bulletproof Hosting Providers (BHPs). Access from a risky IP address likely indicates that the user’s account was breached.
    Unsafe Location
    Detects that a user accessed an application from a country that the United States Department of the Treasury considers unsafe. These countries are considered unsafe because they are known origins of cyberattacks. User access from an unsafe location likely indicates that the user’s account was breached.
    Unsafe VPN
    Detects that a user accessed an application from an unauthorized or unsanctioned VPN. These unsafe VPNs include personal VPNs and known consumer VPNs. The use of an unsafe VPN might indicate that the user is hiding their IP address to avoid auditing and tracking. The use of an unsafe VPN might also indicate that a malicious actor is attempting to decrypt traffic to steal user credentials.

    © 2025 Palo Alto Networks, Inc. All rights reserved.