>
    Strata Copilot
    Policies to Detect Threats
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Policies to Detect Threats
    Download PDF
    SaaS Security

    Policies to Detect Threats

    Table of Contents

    Policies to Detect Threats

    Learn about the policy rules in Behavior Threats for identifying potential threats.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    Or any of the following licenses that include the Data Security license:
    • Data Security license
    • CASB-X
    • CASB-PA
    Policies instruct Behavior Threats to detect suspicious user activities, which might represent a threat to your organization. Each policy identifies a specific type of user behavior that might represent a threat, such as a user accessing SaaS apps from an unusual location or performing bulk download operations. When you enable a policy, Behavior Threats detects the suspicious activity and creates a threat incident for that user.
    Behavior Threats provides the following types of policies:
    • Dynamic Policies—Policy rules use historical data and machine learning to identify suspicious user activity. For these policy rules, Behavior Threats examines historical user data to determine a baseline for each user in your organization. This baseline is derived from the user’s past actions and also from the actions of other users in your organization. From this baseline, Behavior Threats identifies the most anomalous user actions as threat incidents.
    • Static Policies—Policy rules use preconfigured thresholds that Behavior Threats uses to detect suspicious user activity. Behavior Threats does not create a baseline of user activities or use machine learning to detect threat incidents for these policy rules. Instead, Behavior Threats records a threat incident if user actions reach the preconfigured threshold for the policy.
    By default, all Behavior Threats policy rules are enabled. However, you can disable a policy if you don’t want Behavior Threats to display incidents for that policy.

    Dynamic Policies to Detect Threats

    Learn about the dynamic policies in Behavior Threats for identifying potential threats.
    Dynamic policies instruct Behavior Threats to detect anomalies in specific types of user activities by using historical data and machine learning. Behavior Threats separates these policies into the following behavioral situations:
    • Spike in Activity: Compared to historical data, a marked increase in a particular activity within a single hour.
    • Bulk Activity: Compared to historical data, a marked increase in a particular activity over a span of hours (applicable only for sensitive assets as per policy).
    • Time-Based Activity: Compared to historical data, an activity performed by a user at an unusual time.
    • Location-Based Activity: Compared to historical data, an activity performed by a user from an unusual location.
    • Sensitive Data-Transfer Activity: Compared to historical data, unusual user access to files containing Enterprise Data Loss Prevention (E-DLP) data patterns.
    The historical data that Behavior Threats uses to detect anomalous user behavior is at most 90 days.
    Policies to Detect a Spike in Activity
    Policy NameDescription
    Detect spike in Application Usage
    Instructs Behavior Threats to display spikes in usage for an individual app within a single hour.
    For this policy, Behavior Threats logs incidents based on the number of distinct actions that a particular user performs in a particular app. Behavior Threats identifies usage spikes based on how the user typically interacts with the app.
    Behavior Threats logs a spike in app usage only if the spike is very unlikely compared to app usage across your organization.
    Detect spike in Data Downloads or Uploads
    Instructs Behavior Threats to show when a user uploads or downloads a large number of distinct files or folders within a single hour.
    For this policy, Behavior Threats logs incidents based on the amount of data that the user downloaded or uploaded compared to how much data the user typically downloads or uploads.
    Behavior Threats logs a spike in upload or download activity only if the spike is very unlikely compared to other download and upload actions across your organization.
    Detect spike in Share, Delete, and Edit actions
    Instructs Behavior Threats to show spikes in Share, Delete, or Edit actions across all SaaS apps by a single user within a single hour.
    For this policy, Behavior Threats logs incidents based on the number of files a user shared, deleted, or edited compared to the number of files the user typically shares, deletes, or edits.
    Behavior Threats logs a spike in Share, Delete, or Edit actions only if it's very unlikely compared to actions taken by other users across your organization.
    Detect spike in User Activity
    Instructs Behavior Threats to show when a user performs excessive interactions with SaaS apps within a single hour.
    For this policy, Behavior Threats logs incidents based on the number of user interactions with SaaS apps compared to the user's typical number of interactions.
    Behavior Threats logs a spike in user activity only if it's very unlikely compared to user activity across your organization.
    Policies to Detect Bulk Activity
    Policy NameDescription
    Detect bulk Data Downloads or Uploads
    Instructs Behavior Threats to show when a user uploads or downloads a large number of files or folders within a span of hours.
    For this policy, Behavior Threats logs incidents based on the amount of data that the user downloaded or uploaded compared to how much data the user typically downloads or uploads during the same number of hours.
    Behavior Threats logs a bulk download or upload incident only if it's very unlikely compared to user download or upload activity across your organization.
    Detect bulk User Activity
    Instructs Behavior Threats to show when a user performs excessive interactions with a SaaS app within a span of hours.
    For this policy, Behavior Threats logs incidents based on the number of user interactions with SaaS apps compared to the user's typical number of interactions within the same number of hours.
    Behavior Threats logs a bulk user activity incident only if it's very unlikely compared to user activity across your organization.
    Behavior Threats logs a bulk user activity incident only if it's very unlikely compared to user activity across your organization.
    Policy to Detect Time-Based Activity
    Policy NameDescription
    Detect Abnormal User Activity Hours
    Instructs Behavior Threats to show if users are active outside of the hours that they normally access the system
    For this policy, Behavior Threats logs incidents by comparing the time a user is active with their typical hours of activity.
    Behavior Threats logs an incident only if it estimates the probability of the user being active at a particular time is very low.
    Policy to Detect Location-Based Activity
    Policy NameDescription
    Detect Abnormal Location Access
    Instructs Behavior Threats to show if users access SaaS apps from an unusual location.
    For this policy, Behavior Threats logs incidents by comparing the location from which a user accesses a SaaS app to typical access locations for the user and their peers.
    Behavior Threats logs an incident only if the probability of the user accessing an app from the location is very low.
    Behavior Threats excludes the Allowed list of IP addresses from being detected for anomalies. Historical data or machine learning do not consider these IP addresses for training or inference.
    Policy to Detect Sensitive Data Transfer
    Policy NameDescription
    Detect Unusual Access to Sensitive Data
    Instructs Behavior Threats to show unusual user access to files containing Enterprise DLP data patterns. Behavior Threats logs the following unusual behavior:
    • A user accessed many sensitive files containing Enterprise DLP data patterns.
    • A user accessed files containing data patterns that are not normally in the files that they access.
    For this policy, Behavior Threats logs incidents by comparing the number of files containing Enterprise DLP data patterns and the data patterns to the user's past behavior.
    Behavior Threats logs an incident only if it estimates the probability of the sensitive-data access is very low.

    Static Policies to Detect Threats

    Learn about the static policies in Behavior Threats for identifying potential threats.
    We initially introduced the static policies as predefined user activity policies in the Data Security product. These predefined policies are no longer available for newly provisioned tenants and will be deprecated for all tenants from May 30, 2025. If you're currently using the legacy predefined policies in Data Security, we recommend that you transition to the new static policies in Behavior Threats provided in this section. By transitioning to Behavior Threats static policies, you ensure continued functionality and access to the latest features. See the LIVEcommunity blog for a detailed explanation of this transition.
    Static Policies
    Policy NameDescription
    Inactive Account Access
    Instructs Behavior Threats to show when a user accesses an app by using an inactive account. This policy considers an account inactive if the account wasn’t accessed in over 30 days. Inactive account access might indicate that the user’s account was breached.
    Impossible Traveler
    Instructs Behavior Threats to show when a user accesses an app from different locations within a time frame that couldn’t accommodate travel between the locations. This policy determines the locations by IP addresses. This impossible travel might indicate that the user’s account is compromised.
    In addition to the Allowed list of IP addresses, you can add custom IP addresses/Subnets to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses/Subnets to be excluded. However, these IP addresses/Subnets that you add are applicable only for static policies and not dynamic policies.
    Login Failures
    Instructs Behavior Threats to show when a user has multiple failed login attempts to an app. Multiple login failures might indicate an attempt to breach the user account.
    For this policy, Behavior Threats logs incidents if there are more than 5 consecutive failed login attempts within 30 minutes.
    Malware Detection
    Instructs Behavior Threats to show when a user interacts with a file that contains malware. This activity might identify a malicious user and is a threat to your organization.
    Risky IPs
    Instructs Behavior Threats to show when a user accesses an app from a suspicious IP address. Suspicious IP addresses include malicious IP addresses identified by Unit 42, the Palo Alto Networks threat intelligence team. Suspicious IP addresses also include IP addresses of known Tor exit nodes and IP addresses belonging to Bulletproof Hosting Providers (BHPs). Access from a risky IP address likely indicates that the user’s account was breached.
    You can add custom IP addresses/Subnets to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses/Subnets to be excluded. However, these IP addresses/Subnets that you add are applicable only for static policies and not dynamic policies.
    Unsafe Location
    Instructs Behavior Threats to show when a user accesses an app from a country that the United States Department of the Treasury considers unsafe. These countries are considered unsafe because they are known origins of cyber attacks. User access from an unsafe location likely indicates that the user’s account was breached.
    You can add custom IP addresses/Subnets to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses/Subnets to be excluded. However, these IP addresses that you add are applicable only for static policies and not dynamic policies.
    Unsafe VPN
    Instructs Behavior Threats to show when a user accesses an app from an unauthorized or unsanctioned VPN. These unsafe VPNs include personal VPNs and known consumer VPNs. The use of an unsafe VPN might indicate that the user is hiding their IP address to avoid auditing and tracking. The use of an unsafe VPN might also indicate that a malicious actor is attempting to decrypt traffic to steal user credentials.
    You can add custom IP addresses/Subnets to the IP Addresses to Exclude list so that Behavior Threats excludes them from being detected for anomalies. Select ConfigurationSaaS SecurityBehavior ThreatsPoliciesPolicy DetailsEdit PolicyConfigure ScopeAdd IP Address to add custom IP addresses/Subnets to be excluded. However, these IP addresses/Subnets that you add are applicable only for static policies and not dynamic policies.

    © 2026 Palo Alto Networks, Inc. All rights reserved.