: View Misconfigured Settings Detected by SSPM
Focus
Focus

View Misconfigured Settings Detected by SSPM

Table of Contents

View Misconfigured Settings Detected by SSPM

You can view misconfigured settings through built-in SSPM rules, or through policies that you define.
SSPM updated its terminology related to policies in July 2024. Previously, the term policy referred to a built-in recommendation for securing SaaS applications. Each policy was a grouping of similar settings, related to the recommendation, across all applications. What was previously called a policy in SSPM is now called a rule. The purpose and behavior of rules are the same as when they were called policies; only the name has changed.
The term policy now refers to an administrator-defined grouping of SaaS application instance settings for SSPM to monitor.
From the Security Configurations view in SSPM, you can quickly identify misconfigured settings in your SaaS applications. You can then navigate to details about a misconfigured setting to remediate the problem.
SSPM has built-in rules for alerting you to misconfigured settings across all SaaS applications that were onboarded to SSPM. You can also define policies, which alert you to misconfigured settings for a group of application instances and settings that you specify.
Rules — Rules are predefined groupings of similar settings across SaaS applications. Each rule describes a security best practice. For each SaaS application that SSPM supports, SSPM maps the SaaS application's settings to the related SSPM rules.
For example, SSPM defines a rule that recommends that MFA is implemented to prevent attackers from using stolen credentials to access sensitive SaaS apps. For Dropbox, the setting Two-step verification maps to this rule. For Office 365, the settings that map to this rule include Enable policy to block legacy authentication, Require MFA for all users, and Require MFA for administrative roles. When SSPM detects that an application setting is misconfigured, it triggers a violation for the setting. On the Security Configurations view, SSPM changes the associated rule's status to Failed. A daily digest email that SSPM sends to the application owner also includes information about failed rules.
Policies — Like rules, policies are associated with SaaS application settings. The difference is that policies are not predefined by SSPM. Instead, you create policies to monitor specific settings for specific application instances. This capability helps you to concentrate your attention on the applications and settings that are most critical to your organization. When SSPM detects a new violation status for any of the settings that the policy is tracking, SSPM changes the policy's status to Failed. A daily digest email that SSPM sends to the application owner also includes information about failed policies.
For example, for the subset of applications that are most critical to your organization, enforcing multi-factor authentication (MFA) and limiting session length might be of primary importance to you. In this case, you could create a policy that monitors only these critical applications and only the settings related to MFA and session duration. If SSPM detects a new violation in these settings, SSPM updates the policy status on the Security Configurations page. In this way, SSPM helps you track the status of your most critical applications to maintain a healthy security posture.
  1. To navigate to the Settings Management view, select SSPMSecurity Configurations.
  2. Select the tabs to view either the predefined Rules or the administrator-defined Policies.
  3. In the table, locate rules or policies that have a Failed status.
  4. Investigate the Failed status.
    • To investigate a failed rule:
      1. Click the Rule Name to view the application settings that SSPM monitors for the rule or policy.
      2. In the list of settings, locate the ones that have a violation. Click the setting name to view details about the violation, including the current value of the settings and the recommended value. Follow the remediation instructions, or, if automated remediation is available for the application, have SSPM Remediate the setting.
    • To investigate a failed policy:
      1. For the failed policy, identify the applications that are being monitored by the policy. This information is shown in the Applications column of the table.
      2. Navigate to the Applications page (Posture SecurityApplications).
      3. Locate the applications that are being monitored by the policy, and View Details.
      4. In the list of settings, locate the ones that have a violation. Click the setting name to view details about the violation, including the current value of the settings and the recommended value. Follow the remediation instructions, or, if automated remediation is available for the application, have SSPM Remediate the setting.