If you activated the Cloud Identity Engine on your tenant and configured directory sync in Cloud Identity Engine for Azure Active Directory (Azure AD), SaaS Security Inline can now obtain user information from Azure AD through the Cloud Identity Engine. This additional information is available to you in the Discovered Users view and in the Users & Groups area of the Create New Policy Recommendation page.

For the Discovered Users view , SaaS Security Inline matches the discovered users with user information from Azure AD to display additional user details, such as the user's department, region, and manager. You can also filter the view according to these additional details.

For the Create New Policy Recommendation page, you now have the option to include users and groups from Cloud Identity Engine in your policy recommendations. SaaS Security Inline obtains the users and groups from Azure AD through the Cloud Identity Engine. SaaS Security Inline also obtains the dynamic user groups that the Cloud Identity Engine has defined.

When you create policy rule recommendations at the tenant level, you can now specify the Allow action for more applications. Tenant-level policy rule recommendations, if committed on the firewall, affect only the application tenants identified in the recommendation. The Allow action explicitly permits network traffic on selected tenants, and was previously supported for Box. The Allow action is now also supported for GitHub, Microsoft SharePoint, and Slack.

Behavior Threats is a new feature in SaaS Security that helps you identify potential threats to your organization from compromised accounts, malicious insiders, and data breaches. Specifically, Behavior Threats examines how your organization’s users are interacting with sanctioned SaaS applications to identify suspicious user activities that might indicate attempts to steal or corrupt data.

New customers who purchase a license that includes Data Security will have access to Behavior Threats immediately. For existing customers with Data Security, we are rolling out Behavior Threats over the coming weeks. If you're an existing customer and you want get started with Behavior Threats sooner, contact us at behavior-threats-support@paloaltonetworks.com.

You can now create Custom Admin Roles for SSPM in the Strata Cloud Manager. With this launch, you have the extended capability of managing the Role-Based Access Control, leveraging the Identity and Access Management (I&AM) central framework for complete authentication and authorization.

Data Security supports Microsoft Labeling for Office 365 connectors. You can apply data labels to assets in your Office 365 connectors, thus classifying and protecting sensitive information in your organization.

Data Security supports OU based Selective Scanning for Google Drive on Strata Cloud Manager.

Data Security supports Selective Scanning for Office 365 and Box apps on Strata Cloud Manager.