: Static Policies for Detecting Threats
Focus
Focus

Static Policies for Detecting Threats

Table of Contents

Static Policies for Detecting Threats

Learn about the static policies in Behavior Threats for identifying potential threats.
Static policies have preconfigured thresholds that Behavior Threats uses to detect suspicious user activity. Behavior Threats does not create a baseline of user activities or use machine learning to detect threat incidents for these policies. Instead, Behavior Threats records a threat incident if user actions reach the preconfigured threshold for the policy.
We initially introduced the static policies as predefined user activity policies in the Data Security product. These original versions are no longer available for newly provisioned tenants and will soon be deprecated for all tenants. If you are currently using the legacy predefined policies, we recommend that you transition to the new policies. By transitioning to the new policies, you ensure continued functionality and access to the latest features.

Static Policies

Policy NameDescription
Inactive Account Access
Instructs Behavior Threats to show when a user accesses an application by using an inactive account. This policy considers an account inactive if the account was not accessed in over 30 days. Inactive account access might indicate that the user’s account was breached.
Impossible Traveler
Instructs Behavior Threats to show when a user accesses an application from different locations within a time frame that could not accommodate travel between the locations. This policy determines the locations by IP addresses. This impossible travel might indicate that the user’s account is compromised.
Login Failures
Instructs Behavior Threats to show when a user has multiple failed login attempts to an application. Multiple login failures might indicate an attempt to breach the user account.
For this policy, Behavior Threats logs incidents if there are more than 5 consecutive failed login attempts within 30 minutes.
Malware Detection
Instructs Behavior Threats to show when a user interacts with a file that contains malware. This activity might identify a malicious user and is a threat to your organization.
Risky IPsInstructs Behavior Threats to show when a user accesses an application from a suspicious IP address. Suspicious IP addresses include malicious IP addresses identified by Unit 42, the Palo Alto Networks threat intelligence team. Suspicious IP addresses also include IP addresses of known Tor exit nodes and IP addresses belonging to Bulletproof Hosting Providers (BHPs). Access from a risky IP address likely indicates that the user’s account was breached.
Unsafe LocationInstructs Behavior Threats to show when a user accesses an application from a country that the United States Department of the Treasury considers unsafe. These countries are considered unsafe because they are known origins of cyberattacks. User access from an unsafe location likely indicates that the user’s account was breached.
Unsafe VPNInstructs Behavior Threats to show when a user accesses an application from an unauthorized or unsanctioned VPN. These unsafe VPNs include personal VPNs and known consumer VPNs. The use of an unsafe VPN might indicate that the user is hiding their IP address to avoid auditing and tracking. The use of an unsafe VPN might also indicate that a malicious actor is attempting to decrypt traffic to steal user credentials.
xThanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.