Manage security findings
Findings are security issues detected within SaaS applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings on the Zero Trust dashboard and immediately start taking action on the issues found.
Prerequisites
- You have added a CASB integration.
- Your scan has surfaced at least one security finding.
View findings
Open the Zero Trust dashboard and go to CASB > Findings.
You will see the findings detected across all integrations.
To view details for an individual finding, select View.
The individual findings page shows all detected instances of the finding within a specific integration. You can expand an individual row to view details for a particular instance.
To resolve the finding, expand the Remediation Guide and follow the step-by-step instructions in the UI.
Other actions you can take include creating an HTTP block policy, updating the finding’s severity level, or hiding irrelevant findings from view.
Severity levels
Cloudflare CASB labels each finding with one of the following severity levels:
- Critical: Suggests the finding is something your team should act on today.
- High: Suggests the finding is something your team should act on this week.
- Medium: Suggests the finding should be reviewed sometime this month.
- Low: Suggests the finding is informational or part of a scheduled review process.
Change the severity level
You can change the severity level for a finding at any time, in case the default assignment does not suit your environment:
- In the Zero Trust dashboard, go to CASB > Findings.
- Locate the finding you want to modify and select View.
- In the severity level drop-down menu, choose your desired setting (Critical, High, Medium, or Low).
The new severity level will only apply to the finding within this specific integration. If you added multiple integrations of the same SaaS application, the other integrations will not be impacted by this change.
Resolve finding with a Gateway policy
Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your company’s security policy. This means going from viewing a CASB finding, like the use of an unapproved SaaS application, to preventing or controlling access in minutes.
To create a Gateway policy directly from a CASB finding:
- In the Zero Trust dashboard, go to CASB > Findings.
- Locate the finding you want to modify and select View.
- Find the instance you want to block and select its three-dot menu.
- Select Block with Gateway HTTP policy. A new browser tab will open with a pre-filled HTTP policy.
- (Optional) Customize the HTTP policy. For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads.
- Select Save.
Your HTTP policy will now prevent future instances of the security finding.
Hide findings
After reviewing your findings, you may decide that certain findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab.
Hide a finding
- In the Zero Trust dashboard, go to CASB > Findings.
- In the Active tab, select the checkboxes for the findings you want to hide.
- Select Ignore.
The findings will be moved from Active to Ignored. CASB will continue to scan for these findings and report detections in the Ignored tab. You can move ignored findings back to the Active tab at any time.
Hide an instance of a finding
- In the Zero Trust dashboard, go to CASB > Findings.
- In the Active tab, locate the finding you want to modify and select View.
- Under Instances, select the Active tab and locate the instance you want to hide.
- Select the three-dot menu, then select Hide.
The instance will be moved from Active to Hidden. If the finding occurs again for the same user, CASB will report the new instance in the Hidden tab. You can move hidden instances back to the Active tab at any time.