Manage findings
Findings are security issues detected within SaaS and cloud applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found.
- You have added a CASB integration.
- Your scan has surfaced at least one security finding.
Posture findings include misconfigurations, unauthorized user activity, and other data security issues.
To view details about the posture findings that CASB found:
- In Zero Trust ↗, go to CASB > Posture.
- Choose SaaS or Cloud.
- To view details about a finding, select the finding's name
CASB will display details about your posture finding, including the finding type, severity level, number of instances, associated integration, current status, and date detected. For more information on each instance of the finding, select Manage.
To manage the finding's visibility, you can update the finding's severity level or hide the finding from view. Additionally, some findings provide a remediation guide to resolve the issue or support creating a Gateway HTTP policy to block the traffic.
Cloudflare CASB labels each finding with one of the following severity levels:
| Severity level | Urgency |
|---|---|
| Critical | Suggests the finding is something your team should act on today. |
| High | Suggests the finding is something your team should act on this week. |
| Medium | Suggests the finding should be reviewed sometime this month. |
| Low | Suggests the finding is informational or part of a scheduled review process. |
You can change the severity level for a finding at any time in case the default assignment does not suit your environment:
- In Zero Trust ↗, go to CASB > Posture.
- Locate the finding you want to modify and select Manage.
- In the severity level drop-down menu, choose your desired setting (Critical, High, Medium, or Low).
The new severity level will only apply to the posture finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change.
Content findings include instances of potential data exposure as identified by DLP.
To view details about the content findings that CASB found:
- In Zero Trust ↗, go to CASB > Content.
- Choose SaaS or Cloud.
- To view details about a finding, select the finding's name.
CASB will display details about your content finding, including the file name, a link to the file, matching DLP profiles, associated integration, and date detected.
AWS users can configure a compute account to scan for data security resources within their S3 resources.
File findings for some integrations (such as Microsoft 365 and Box) may link to an inaccessible file. To access the actual shared file:
- In Zero Trust ↗, go to CASB > Posture.
- Choose SaaS or Cloud.
- Locate the individual finding, then select Manage.
- In Active Instances, select the file name.
- In Shared Links, select the linked file instance.
- In Zero Trust ↗, go to CASB > Content.
- Choose SaaS or Cloud.
- Select the file name of the detected asset.
- In Sharing details, select the linked file instance.
After reviewing your findings, you may decide that certain posture findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab.
- In Zero Trust ↗, go to CASB > Posture.
- Locate the active finding you want to hide.
- In the three-dot menu, select Move to ignore.
The finding's status will change from Active to Ignored. CASB will continue to scan for these findings and report detections. You can change ignored findings back to Active with the same process at any time.
- In Zero Trust ↗, go to CASB > Posture.
- Choose the active finding you want to hide, then select Manage.
- In Active, find the instance you want to hide.
- In the three-dot menu, select Move to hidden.
The instance will be moved from Active to Hidden within the finding. If the finding occurs again for the same user, CASB will report the new instance in the Hidden tab. You can move hidden instances back to the Active tab at any time.
Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your organization's security policy. This means going from viewing a CASB finding, like the use of an unapproved application, to preventing or controlling access in minutes.
CASB supports creating a Gateway policy with findings from the Google Workspace integration:
Supported CASB findings for Gateway policies
- Google Workspace: File publicly accessible with edit access
- Google Workspace: File publicly accessible with view access
- Google Workspace: File shared outside company with edit access
- Google Workspace: File shared outside company with view access
To create a Gateway policy directly from a CASB finding:
- In Zero Trust ↗, go to CASB > Posture or CASB > Content.
- Choose SaaS or Cloud.
- Choose the finding you want to modify, then select Manage.
- Find the instance you want to block and select its three-dot menu.
- Select Block with Gateway HTTP policy. A new browser tab will open with a pre-filled HTTP policy.
- (Optional) Configure the HTTP policy. For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads.
- Select Save.
Your HTTP policy will now prevent future instances of the security finding.