The Zero Trust Security → Behaviors screen lets you define dynamic conditions that detect suspicious, risky, or non-compliant activity across your organization. These behaviors are not standalone actions—they act as conditions that can be reused across multiple Sign-In Policies.
They help you enforce adaptive access decisions based on context such as:
- Device risk
- User behavior
- Sign-in patterns
- IP reputation
- Recent history
📍 To access this screen, go to Zero Trust Security → Behaviors
Each Behavior Type represents a category of detection logic. Within each type:
- A default behavior is provided by the system (read-only)
- You can create multiple custom behaviors with your own thresholds or filters
Each behavior includes a ••• where you can:
| Behavior Type | Options |
|---|---|
| Default | View or Duplicate |
| Custom | View, Edit, Duplicate, or Delete |
This allows you to use system-provided templates or customize logic to match your organization's risk model.
Create a New Custom Behavior
lick Create Behavior to open the configuration modal. You’ll be asked to:
- Name your behavior
- Select a Behavior Type
- Configure type-specific options (varies by type)
Once created, behaviors become available as conditions when building Sign-In ****Policies.
Available Behavior Types
| Type | What It Detects |
|---|---|
| New Device | Sign-ins from previously unseen devices |
| Out of Radius | Location-based anomalies outside past proximity |
| New Country | Sign-ins from countries not seen in recent history |
| Impossible Travel | Improbable travel speeds between sign-in locations |
| Last Sign-In Date | Long periods of account inactivity |
| Untrusted IP | Risky or anonymous IP addresses (VPN, proxy, abuse) |
| Breached Email | Email address found in public breach data |
| Consecutive Failures – Same Account | Repeated failed logins to one account |
| Consecutive Failures – Any Account | Failed logins across multiple accounts |
| Device Posture Check | Whether a device passed or failed posture validation (User Sign-In policies only) |
Using Behaviors in Sign-In Policies
Once created, behaviors can be added as conditions to any Sign-In Policy—enabling dynamic access control based on context.
During sign-in or access evaluation:
- The system checks whether any behaviors in the policy are triggered
- If so, it applies the defined policy action (e.g., Deny, Require MFA, Block IP)
Example Policy Condition:
“Allow access only if the device is trusted, and the IP is not untrusted.”
This adaptive model replaces static rules with real-time, context-aware security enforcement.
Updated
Comments
0 comments
Please sign in to leave a comment.