SaaS Security Administrator's Guide
    : View the Health Status of Application Scans
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security Posture Management
    5. Onboard SaaS Apps Supported by SSPM
    6. View the Health Status of Application Scans
    Download PDF

    SaaS Security Administrator's Guide

    View the Health Status of Application Scans

    Table of Contents

    View the Health Status of Application Scans

    After you onboard a SaaS application to SSPM, you should periodically verify that application scans are working.
    After you onboard a SaaS application to SSPM, SSPM will scan the application at regular intervals. Depending on the application and the administrator permissions that were given to SSPM during onboarding, SSPM performs one or more scans. The basic scan, which is supported for all applications, is the Config Scan. During a Config Scan, SSPM determines if the application's security settings conform to SSPM's recommendations for best practices.
    Additional scans are supported for only a subset of applications. If a Risky Account Scan is supported for the application, SSPM scans the application for accounts that were not provisioned by using your organization's identity provider. If a 3rd Party Plugins Scan is supported, SSPM scans the application for information about third-party functionality that is hosted in the application.
    Because changes in the connected application and temporary conditions might cause a scan to fail, you should periodically verify that application scans are working. For example, changes in a service account that was used to onboard the application to SSPM might cause scans to fail. Some changes that can cause scans to fail include changed login credentials, changed permissions, and deleted or expired tokens or API keys. Scans might also fail due to temporary connectivity issues or internal SSPM errors.
    SSPM sends a daily digest to application owners, which includes the health status of application scans. You can also view the overall health status of application scans from the Applications page. From there, you can navigate to the application's details page to view the status of individual scans.
    1. Navigate to SaaS Security Posture Management.
    2. Select Posture SecurityApplications.
    3. View the overall scan status for each application that was onboarded to SSPM.
      The Applications page displays a tile for each application instance that was onboarded to SSPM. The overall scan status for each application appears in the upper-left corner of the tile. If an application supports additional scans beyond the standard Config Scan, this overall status is based on the status of all the scans.
      StatusMeaning
      Up
      The most recent scan of each supported scan type ran successfully, or the scan is currently running.
      Unhealthy
      The most recent scan of one or some of the supported scan types did not run successfully.
      Down
      The most recent scan for all of the supported scan types did not run successfully.
    4. If an application has an overall scan status that is not Up, investigate further.
      1. View Details of the application.
      2. On the details page, click the settings icon (gear icon) in the upper-right corner of the page.
        The settings page shows the scan status for the scans that are supported by the application.
      3. Examine the status of each scan, and take action as needed. The following table describes the meaning of each status value.
        StatusMeaning
        Up
        The scan is working correctly. No action is needed.
        Unhealthy
        Recent attempts to connect to the SaaS application and complete the scan were unsuccessful, but SSPM will continue trying. If further attempts to connect to the SaaS application fail, SSPM will set the App Health status to Down.
        Common reasons for connection failures include 401 and 403 HTTP responses from the SaaS application, and temporary connectivity issues. Verify that the credentials that were supplied to SSPM during onboarding are still valid, and that SSPM has the necessary permissions. Continue to check the App Health to see if it returns to the Up status or is changed to the Down status.
        Down
        Multiple consecutive attempts to connect to the SaaS application to complete the scan were all unsuccessful. Common reasons for connection failures include 401 and 403 HTTP responses from the SaaS application. If the Config Scan status is Up, but other scans are failing, then the likely cause is that SSPM does not have the necessary permissions for the advanced scan.
        Reauthenticate to the SaaS application instance to enable the scan. Make sure you supply SSPM with valid credentials and the necessary permissions.
        Scanning
        		The scan is currently running.

    © 2025 Palo Alto Networks, Inc. All rights reserved.