Enable Group-based Selective Scanning (Beta)
Learn how to enable group-based selective scanning.
Group-based visibility requires Azure Active Directory
integration, which has many benefits, including group-based selective
scanning—the ability to include or exclude specific AD groups
from scans. Sometimes you might want to monitor the assets and accounts
of specific groups of users and not others. Depending on your cloud
app, SaaS Security API enables you to select which directory groups
to include or exclude from both forward scan and backward scan.
Selective
scanning is an advanced feature. Before you enable selective scanning,
contact SaaS Security Technical Support to have your use case reviewed
by an experienced Support Engineer.
Selective scanning
is supported by specific cloud
apps. By default, selective scanning is not enabled, and
it’s important that you decide if you want to enable selective scanning—before
you connect a cloud app to SaaS Security API. Otherwise, you must
delete the cloud app instance, then reconnect the cloud app to SaaS
Security API to rediscover all assets and events for all users:
all assets and events previously stored will be deleted and incidents
reported for users no longer included in the selected groups are
automatically closed.
Before you enable selective scanning,
learn about selective scanning behaviors.
Selective Scanning Support
Selective scanning is available on the following cloud
apps. Not all cloud apps are conducive to selective scanning. A
cloud app must integrate with directory services and must enforce
file ownership. Many cloud apps are designed to share files with multiple
owners, so they don’t have the necessary characteristics to work
in a selective scanning framework.
Cloud App | Selective Scanning Supported | Notes |
|---|---|---|
Box |  | — |
Microsoft Office 365 — OneDrive | | — |
Selective Scanning Behaviors
As you maintain selective scanning and groups in active
directory services, consider how SaaS Security API updates your
scan results, user activities, and incidents.
Group/User Change | SaaS Security API... |
|---|---|
Remove a user from a group in directory services | Removes assets or user activities. Closes
any related incidents. Takes up to 7 days. |
Remove a group from Selective Scanning | |
Add a user to a group in directory services. | Records new user activities. |
Add a group to Selective Scanning |
Enable Selective Scanning During Onboarding
It’s easier to enable group-based selective
scanning when you onboard the cloud app. If, however, you choose
to enable selective scanning
after you add the cloud app, you must delete the cloud app
instance and add it back so SaaS Security API can discover all assets
and events for all users.
- Log in to SaaS Security.
- Connect your the cloud app to SaaS Security API.
- SelectEnable selective scanning.
ScanandExclude from scanoptions only display during initial configuration. - Choose a subset of groups to scan using>>to add all groups or>to add selected groups.
- SelectSaveto continue.
Enable Selective Scanning After Onboarding
It’s easier to enable group-based
selective scanning when you onboard the cloud app. If, however,
you choose to enable afterward, you must delete the cloud app instance
and add it back so SaaS Security API can discover all assets and
events for all users.
- Log in to SaaS Security.
- Select .
- In the Cloud App list, click on the cloud app for which you want to enable selective scanning.
- SelectEnable selective scanning.
- ClickYesto delete the cloud app instance.
- Choose a subset of groups to scan using>>to add all groups or>to add selected groups.
- SelectSaveto continue.
