Manage findings
Findings are security issues detected within SaaS applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found.
- You have added a CASB integration.
- Your scan has surfaced at least one security finding.
-
In Zero Trust ↗, go to CASB > Findings.
You will see the findings detected across all integrations.
-
To view details for an individual finding, select View.
The individual findings page shows all detected instances of the finding within a specific integration. You can expand an individual row to view details for a particular instance.
-
To resolve the finding, expand the Remediation Guide and follow the step-by-step instructions in the UI.
Other actions you can take include creating an HTTP block policy, updating the finding’s severity level, or hiding irrelevant findings from view.
File findings for some integrations (such as Microsoft 365 and Box) may link to an inaccessible file. To access the actual shared file:
- In Zero Trust ↗, go to CASB > Findings.
- Locate the individual finding, then select View.
- In Active Instances, select the file name.
- In Shared Links, select the linked file instance.
Cloudflare CASB labels each finding with one of the following severity levels:
- Critical: Suggests the finding is something your team should act on today.
- High: Suggests the finding is something your team should act on this week.
- Medium: Suggests the finding should be reviewed sometime this month.
- Low: Suggests the finding is informational or part of a scheduled review process.
You can change the severity level for a finding at any time, in case the default assignment does not suit your environment:
- In Zero Trust ↗, go to CASB > Findings.
- Locate the finding you want to modify and select View.
- In the severity level drop-down menu, choose your desired setting (Critical, High, Medium, or Low).
The new severity level will only apply to the finding within this specific integration. If you added multiple integrations of the same SaaS application, the other integrations will not be impacted by this change.
Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your company’s security policy. This means going from viewing a CASB finding, like the use of an unapproved SaaS application, to preventing or controlling access in minutes.
To create a Gateway policy directly from a CASB finding:
-
In Zero Trust ↗, go to CASB > Findings.
-
Locate the finding you want to modify and select View.
-
Find the instance you want to block and select its three-dot menu.
-
Select Block with Gateway HTTP policy. A new browser tab will open with a pre-filled HTTP policy.
-
(Optional) Customize the HTTP policy. For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads.
-
Select Save.
Your HTTP policy will now prevent future instances of the security finding.
After reviewing your findings, you may decide that certain findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab.
- In Zero Trust ↗, go to CASB > Findings.
- In the Active tab, select the checkboxes for the findings you want to hide.
- Select Ignore.
The findings will be moved from Active to Ignored. CASB will continue to scan for these findings and report detections in the Ignored tab. You can move ignored findings back to the Active tab at any time.
- In Zero Trust ↗, go to CASB > Findings.
- In the Active tab, locate the finding you want to modify and select View.
- Under Instances, select the Active tab and locate the instance you want to hide.
- Select the three-dot menu, then select Hide.
The instance will be moved from Active to Hidden. If the finding occurs again for the same user, CASB will report the new instance in the Hidden tab. You can move hidden instances back to the Active tab at any time.