Begin Scanning a Workplace by Facebook App

Authorize the Prisma SaaS app to connect to Workplace by Facebook to scan all content shared within the app.
To connect a Workplace by Facebook app and begin scanning assets, you need to:
  • Ensure that you have a Workplace account with administrator privileges.
  • Authorize the Prisma SaaS app on the Facebook Third-Party Marketplace to access your account. This integration uses OAuth to generate the access token with the required read-only permissions that enable Prisma SaaS to get metadata on the posts, comments, member profiles, and groups.
If you have a previous version of the Workplace app, you must uninstall it.
workplace-outdated-app.png
For information on which automated remediation capabilities Prisma SaaS supports with Workplace by Facebook, refer to Supported Applications with Remediation.

Add Workplace by Facebook App

In order for Prisma SaaS to scan assets, you must consent to specific permissions during the course of adding the Workplace by Facebook app.
  1. Add the Workplace by Facebook app to Prisma SaaS.
    1. Log in to Prisma SaaS.
    2. On the
      Dashboard
      , click
      +Add a Cloud App
      , and select
      Workplace by Facebook
      .
      workplace-by-facebook-tile-frame-beta.png
    3. Select
      Connect to Workplace Account
      .
      workplace-by-facebook-connect.png
      Prisma SaaS redirects you to the Facebook Third-Party marketplace. You must log in to Workplace with administrator privileges to add the Workplace app to Prisma SaaS.
      workplace-by-facebook-login.png
    4. Review the
      Permissions
      that you are authorizing for the Prisma SaaS app and
      Add to Workplace
      .
      The following permissions are required:
      workplace-by-facebook-add.png
      Permission
      Description
      Read user email
      The user’s email address is required to determine if the member is an internal or external user. Prisma SaaS compares the domain in the email address against the list of internal domains that you have configured to identify whether the user is external to the organization.
      List group members
      The list of group members within each workplace group is required to determine content exposure and collaborators. For example, if the group includes one or more members outside of your organization who collaborate on the assets being shared, then the group is classified as having external exposure.
      Read group content
      Permission to read the content such as posts, comments and attachments shared within the group to scan for sensitive information.
      Read all messages
      Access to chat messages sent to any user on the Workplace app to scan for sensitive information.
      Read user timeline
      Permission to read the posts, comments and attachments on each user's timeline to scan for sensitive information.
    5. Log in to Prisma SaaS to complete the remaining workflow.
      After you review the permissions displayed in the popup window, you are still in your Workplace app and are not redirected to Prisma SaaS.
  2. Give a descriptive name to this app instance and specify an incident reviewer.
    1. Select the Workplace app in the Cloud Apps list.
      workplace-by-facebook-add2.png
    2. Enter a descriptive
      Name
      to differentiate this instance of Workplace by Facebook from other instances.
  3. Start scanning the new Workplace by Facebook app for risks.
    1. Select
      Settings
      Cloud Apps & Scan Settings
      .
    2. In the Cloud Apps row that corresponds to the new Workplace by Facebook app, select
      Actions
      Start Scanning
      .
      Prisma SaaS scans all assets in the associated Workplace by Facebook app and identifies incidents. Depending on the number of assets, it may take some time to complete the process. However, as soon as you begin to see this information populating on the Prisma SaaS
      Dashboard
      , you can begin to Assess Incidents.
  4. During the discovery phase, as Prisma SaaS scans files and matches them against enabled default policy rules.
    Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, improve the results.

Identify Risks

When you add a new cloud app, Prisma SaaS automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. (
    Optional
    ) Modify match criteria for existing policy rules.
  2. (
    Optional
    ) Add new policy rules.
    Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
  3. (
    Optional
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

Fix Workplace App Issues

The most common issues related to adding a Workplace app are as follows:
Symptom
Explanation
Solution
Workplace for Facebook app stopped scanning for assets.
August 2020 Facebook improved the Workplace API to support OAuth. Prisma SaaS no longer needs the outdated app and cannot communicate with it.
You can identify the version of your Workplace app based on its location in the Workplace Admin Panel:
  • (New)
    Integrations
    Added to Workspace
  • (Outdated)
    Integrations
    Custom Integrations
If you have the outdated version of the Workplace app, you must migrate to the revamped app.
Uninstalling the Workplace app is mandatory because only one instance of Prisma SaaS can be installed for a Workplace account.
To migrate to the new Workplace by Facebook app:
  1. From Prisma SaaS
    Cloud Apps
    list,
    Delete Cloud App
    for Workplace app.
  2. From the Workplace Admin Panel, select
    Integrations
    .
  3. Locate the outdated Workplace app in
    Custom Integrations
    , then
    Delete Integration
    .
  4. Repeat the onboarding process in Prisma SaaS.
workplace-outdated-app.png
When you try to onboard the new Workplace app, Prisma SaaS returns a connection error:
Not connected. Sorry, there was an error connecting to your account
. Also, Workplace Admin Console shows an error for the onboarded Workplace app:
App install has failed
.
See explanation above.
Uninstall the Workplace app you just tried to onboard:
  1. From the Workplace Admin Panel, select
    Integrations
    .
  2. Locate the outdated Workplace app in
    Added to Workspace
    , then
    Uninstall
    it.
  3. Delete the outdated app as outlined in previous troubleshooting tip.
  4. Repeat the onboarding process in Prisma SaaS.

Recommended For You