1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security API
    5. Monitor SaaS Security API
    6. Group-Based Visibility
    7. Enable Group-based Selective Scanning (Beta)

    Enable Group-based Selective Scanning (Beta)

    Learn how to enable group-based selective scanning.
    Group-based visibility requires Azure Active Directory integration, which has many benefits, including group-based selective scanning—the ability to include or exclude specific AD groups from scans. Sometimes you might want to monitor the assets and accounts of specific groups of users and not others. If your cloud app supports selective scanning, SaaS Security API enables you to select which directory groups to include or exclude from both forward scan and backward scan.
    Selective scanning is an advanced feature. Before you enable selective scanning, contact SaaS Security Technical Support to have your use case reviewed by an experienced Support Engineer.
    Selective scanning is supported by specific cloud apps. By default, selective scanning is not enabled, and it’s important that you decide if you want to enable selective scanning—before you connect a cloud app to SaaS Security API. Otherwise, you must delete the cloud app instance, then reconnect the cloud app to SaaS Security API to rediscover all assets and events for all users: all assets and events previously stored will be deleted and incidents reported for users no longer included in the selected groups are automatically closed.
    Before you enable selective scanning, learn about selective scanning behaviors.

    Selective Scanning Behaviors

    As you maintain selective scanning and groups in active directory services, consider how SaaS Security API updates your scan results, user activities, and incidents.
    Group/User Change
    SaaS Security API...
    Remove a user from a group in directory services
    Removes assets or user activities. Closes any related incidents. Takes up to 7 days.
    Remove a group from Selective Scanning
    Add a user to a group in directory services.
    Records new user activities.
    Add a group to Selective Scanning

    Enable Selective Scanning During Onboarding

    It’s easier to enable group-based selective scanning when you onboard the cloud app. If, however, you choose to enable selective scanning after you add the cloud app, you must delete the cloud app instance and add it back so SaaS Security API can discover all assets and events for all users.
    1. Log in to SaaS Security.
    3. Connect your the cloud app to SaaS Security API.
    4. Select
      Enable selective scanning
      .
      Scan
       and
      Exclude from scan
       options only display during initial configuration.
    5. Choose a subset of groups to scan using
      >>
       to add all groups or
      >
       to add selected groups.
    6. Select
      Save
       to continue.

    Enable Selective Scanning After Onboarding

    It’s easier to enable group-based selective scanning when you onboard the cloud app. If, however, you choose to enable afterward, you must delete the cloud app instance and add it back so SaaS Security API can discover all assets and events for all users.
    1. Log in to SaaS Security.
    3. Select
      Settings
      Cloud Apps and Scan Settings
      .
    4. In the Cloud App list, click on the cloud app for which you want to enable selective scanning.
    5. Select
      Enable selective scanning
      .
    6. Click
      Yes
       to delete the cloud app instance.
    7. Choose a subset of groups to scan using
      >>
       to add all groups or
      >
       to add selected groups.
    8. Select
      Save
       to continue.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo