>
    New Features Introduced in May 2025
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Features Introduced in 2025
    4. New Features Introduced in May 2025
    Download PDF
    SaaS Security

    New Features Introduced in May 2025

    Table of Contents

    New Features Introduced in May 2025

    Learn about the new features that became available in SaaS Security in May 2025.

    SSPM Feature Enhancements

    In the SSPM product, we are regularly improving and enhancing functionality. Some recently introduced enhancements include the following enhancements:
    • Improved Scans to Detect More Application Settings for Datadog: As part of an ongoing effort to enable SSPM to detect as many application settings as possible, SSPM can now detect more settings for Datadog.
    • Alternative Onboarding Approaches: SSPM uses a number of different approaches to connect to an application to complete its scans. Depending and the application, you might connect by authenticating directly with the application or through the Okta or Microsoft Azure identity provider. Other onboarding approaches include using OAuth 2.0 authorization or a Microsoft Entra (formerly Azure) service principal. As part of an ongoing effort to provide you with more onboarding options for particular applications, alternative onboarding approaches are now available in the following applications. Specifically, you can now onboard the following applications by using Microsoft Azure credentials.
      • Bitbucket
      • Confluence
      • Envoy
      • IDrive
      • Jira
      • KanbanTool
      • Mulesoft
    • Added Identity Support: The Identity Security component of SSPM uses information from an instance of a supported application and, optionally, your identity provider to give you visibility into account risks. As part of an ongoing effort to support more applications, we now provide account risk information for the following additional applications:
      • Slack Enterprise. If you onboarded your Slack Enterprise instance prior to this update, you must re-onboard your Slack Enterprise instance. Before onboarding, you must update your Slack org-wide app to give SSPM access to the admin.users:read OAuth scope.
      • Zoom. If you onboarded your Zoom instance prior to this update, you must re-onboard your Zoom instance.

    Legacy UEBA Policies Migration to Behavior Threats

    We are retiring the legacy User Activity Policies (rule-based UEBA) and transitioning to our new enhanced Behavior Threats capability. User Activity policies, specifically the predefined policies in Data Security are now available as static policies in Behavior Threats.
    Since January 2025, we have enabled Behavior Threats in your account, offering a more advanced and adaptive approach to detecting security risks. While the rule-based UEBA system has served well in identifying known patterns of suspicious activity, Behavior Threats enhances threat detection by using machine learning (ML) to recognize both known and emerging threats with greater accuracy and efficiency.
    As part of this transition, we will be deprecating the following predefined user activity policies:
    • Bulk Deletion
    • Bulk Download
    • Bulk Sharing
    • Bulk Upload
    • Impossible Traveler
    • Login Failure
    • Malware
    • Risky IP
    • Unsafe Location
    • Unsafe VPN
    All these policies have been migrated to the new static policies under Behavior Threats. In addition, the web interface elements related to these policies are also being removed. This includes the Risk Event Trend, Risky Events, and Risk Trends charts found under Data SecurityUser & ActivitiesMonitored Users in the detailed view for each individual user.
    Behavior Threats builds on the foundation of rule-based policies by introducing smarter, more adaptive detection capabilities. With this transition, you will benefit from:
    • More accurate threat detection – Identify both known and evolving security threats with a combination of ML-based and optimized rule-based detection.
    • Unified threat management – View all security incidents in a single pane of glass for better visibility and management.
    • Improved efficiency – Reduce manual rule updates while ensuring policies remain effective against new attack patterns.
    • Enhanced customization – Configure key detections such as Impossible Traveler and Risky IP.
    • Scalability and future-proofing – A system that evolves with emerging threats and adapts to various data sources.
    The predefined policies in Data Security won’t be available for newly provisioned tenants from May 30, 2025. By transitioning to the new policies, you ensure continued functionality and access to the latest features. See the LIVEcommunity blog for a detailed explanation of this transition.

    © 2025 Palo Alto Networks, Inc. All rights reserved.