>
    Strata Copilot
    View the Health Status of Application Scans
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. View the Health Status of Application Scans
    Download PDF
    SaaS Security

    View the Health Status of Application Scans

    Table of Contents

    View the Health Status of Application Scans

    After you onboard a SaaS app to SaaS Security Posture Management, you should periodically verify that app scans are working.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    After you onboard a SaaS app to SaaS Security Posture Management, SSPM will scan the app at regular intervals. Depending on the app and the administrator permissions that were given to SSPM during onboarding, SSPM performs one or more scans. The basic scan, which is supported for all apps, is the Config Scan. During a Config Scan, SSPM determines if the app's security settings conform to SSPM's recommendations for best practices.
    Additional scans are supported for only a subset of apps. If a Risky Account Scan is supported for the app, SSPM scans the app for accounts that weren’t provisioned by using your organization's identity provider. If a 3rd Party Plugins Scan is supported, SSPM scans the app for information about third-party functionality that is hosted in the app.
    Because changes in the connected app and temporary conditions might cause a scan to fail, you should periodically verify that app scans are working. For example, changes in a service account that was used to onboard the app to SSPM might cause scans to fail. Some changes that can cause scans to fail include changed login credentials, changed permissions, and deleted or expired tokens or API keys. Scans might also fail due to temporary connectivity issues or internal SSPM errors.
    SSPM sends a daily digest to app owners, which includes the health status of app scans. You can also view the overall health status of app scans from the Applications page. From there, you can navigate to the app's details page to view the status of individual scans.
    1. Log in to Strata Cloud Manager.
    2. Select Select ConfigurationSaaS SecurityPosture SecurityApplications.
    3. View the overall scan status for each app that was onboarded to SSPM.
      The Applications page displays a tile for each app instance that was onboarded to SSPM. The overall scan status for each app appears in the upper-left corner of the tile. If an app supports additional scans beyond the standard Config Scan, this overall status is based on the status of all the scans.
      StatusMeaning
      Up
      The most recent scan of each supported scan type ran successfully, or the scan is currently running.
      Unhealthy
      The most recent scan of one or some of the supported scan types did not run successfully.
      Down
      The most recent scan for all of the supported scan types did not run successfully.
    4. If an app has an overall scan status that is not Up, investigate further.
      1. View Details of the app.
      2. On the details page, click the settings icon (gear icon) in the upper-right corner of the page.
        The settings page shows the scan status for the scans that are supported by the app.
      3. Examine the status of each scan, and take action as needed. The following table describes the meaning of each status value.
        StatusMeaning
        Up
        The scan is working correctly. No action is needed.
        Unhealthy
        Recent attempts to connect to the SaaS app and complete the scan were unsuccessful, but SSPM will continue trying. If further attempts to connect to the SaaS app fail, SSPM will set the App Health status to Down.
        Common reasons for connection failures include 401 and 403 HTTP responses from the SaaS app, and temporary connectivity issues. Verify that the credentials that were supplied to SSPM during onboarding are still valid, and that SSPM has the necessary permissions. Continue to check the App Health to see if it returns to the Up status or is changed to the Down status.
        Down
        Multiple consecutive attempts to connect to the SaaS app to complete the scan were all unsuccessful. Common reasons for connection failures include 401 and 403 HTTP responses from the SaaS app. If the Config Scan status is Up, but other scans are failing, then the likely cause is that SSPM does not have the necessary permissions for the advanced scan.
        Reauthenticate to the SaaS app instance to enable the scan. Make sure you supply SSPM with valid credentials and the necessary permissions.
        Scanning
        		The scan is currently running.

    © 2026 Palo Alto Networks, Inc. All rights reserved.