To begin securing the Supported SaaS Applications, you must connect them to Prisma SaaS by authenticating to the application using an administrator account (the specific privilege requirements vary from application to application). After you successfully authenticate, Prisma SaaS receives a token from the cloud app for establishing and maintaining a secure connection. Prisma SaaS then connects directly to the application programming interface (API) for that app, which enables the scanning of all historical data that resides within the app, as well as continually monitoring modified or new data, and identifying policy violations and incidents.

To perform data discovery, Prisma SaaS gets metadata for all your files and folders on the application. Metadata includes file properties and attributes, and application-level metadata such as file owner, email recipients, and  collaborators. For certain apps with structured data such as Salesforce, and messaging apps such as Slack, Facebook Workplace, and email apps, Prisma SaaS scans both structured and unstructured data.  All files such as attachments that are unstructured, the files are scanned and the metadata is always stored. Even though Prisma SaaS scans structured data, it does not store metadata for every field and message unless the field or message has some content that matches a data pattern defined on Prisma SaaS. This is done to minimize the privacy risk by storing all of your metadata.