1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security API
    5. Manage Policy for Sanctioned SaaS Apps
    6. Policy Types on SaaS Security API
    7. User Activity Rules
    8. Match Criteria for User Activity Rules

    Match Criteria for User Activity Rules

    Learn about the match criteria available for user activity rules on SaaS Security API.
    When you create a user activity rule, you need to specify match criteria. The following table lists the match criteria for user activity rules on SaaS Security API.
    Match Criteria
    Description
    Activity
    List of activities to monitor. For example, activities can include
    Create
    ,
    Download
    ,
    Edit
    ,
    Delete
    ,
    Authorize
    ,
    Upload
    ,
    Join
    , or more. You can include multiple activities in a rule.
    The activities available depend on your SaaS app. If a specific activity does not display in
    Explore
     >
    Activities
    , then the event is not supported for your SaaS app and, therefore, you cannot define it in a rule.
    Cloud Apps
    List of accessible applications to scan. By default, all cloud apps you added to SaaS Security API are scanned, but you can restrict scans to specific apps.
    Count and Frequency
    The count and frequency of the activity that will trigger a policy violation. For example, ten (or more) times a week, or two (or more) times per day.
    User (Actor)
    Users whose perform the activities. By default, all users in all domains are included. Alternatively, you can:
    • Email Address
      — Include an email addresses for each user to monitor. Use commas to separate each address in the list.
    • Domain
      —Include (or exclude) a subset of users based on domains. Use commas to separate each domain in the list.
    Target
    The
    Name
     and
    Type
     of target for the user activity. For example, a target could be any user activity that impacts a
    Super Admin
     (target name)
    Password
     (target type). Or, any user activity associated with a
    Client List
     (target name)
    Report
     (target type).
    You can
    Add a Target
     to include multiple targets in a policy rule. For example, activities that add
    Users
     (target) to
    Teams
     (target), or activities that share
    Links
     (target) with
    Users
     (target) would include two targets in the rule.
    Folder
     alerts you when the user activity occurs on any file contained in the folder.
    Folder File
     alerts you when there is user activity on the specific file defined in the
    Name
    .
    The targets available depend on your SaaS app. If a specific target does not display in
    Explore
     >
    Activities
    , then the event is not supported for your SaaS app and, therefore, you cannot define it in a rule.
    Location
    The location where the activity occurs. Choices include:
    • Any Country
       (default)—Activities in all countries.
    • Specific Countries
      —Activities in specific countries. You can select multiple countries from the list.
    • Any Country Except
      —Activities in all countries, except the ones you select.
    IP Address
    The IP address where the activity was initiated. Choices include:
    • Any IP Address
      —Activities initiated from any IP address.
    • Specific IP Addresses
      —Activities initiated from specific IP addresses.
    • Any IP Address Except
      —Activities initiated from all IP addresses, except the ones you specify.
    Use commas to separate multiple IP addresses.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo