Release Notes

Automatic Scanning Configuration

Automate storage container protection and scanning.

For customers who want to implement universal storage container protection, we offer the ability to apply both event-based and scheduled scanning for S3 Buckets, Azure Blob Containers, and GCP Buckets. When these features are activated, we also perform a daily discovery of new storage resources and add them to our existing schedule or event-based scanning if they match a rule that's been activated.

Note that for Azure and GCP, you'll have to link these cloud accounts into CSS first. Refer to our Azure Linked Accounts and GCP Linked Accounts documentation for more details.

Global Settings

Under the Global Settings page, we offer the Protect All and Enable Smart Scanning options.

Protect All

The Protect All option enables the following:

  • Real-Time Protection for AWS and Azure

  • Monthly Schedule Protection for AWS, Azure, and GCP

When you turn the slider on, you can notice that all the other sliders except Enable Smart Scanning turn on. This is a visual representation of what it does.

If this feature is enabled, we'll do the following:

  • Create a Scheduled Scan for all Amazon S3, Azure Blob, and GCP Buckets that triggers on the first of every month.

  • Begin monitoring all Amazon S3 and Azure Blob containers for new files. We'll scan files as they enter those containers.

Enable Smart Scanning

For customers who want to minimize infrastructure costs at the tradeoff of a slightly longer scan time, we offer Smart Scanning. While Event-Based scanning typically has agents standing by to immediately scan files that enter storage containers, Smart Scan turns off Event Agents when they are not actively scanning to minimize your compute costs.

Once new files are detected, they will enter a queue and our Agents will spin up to scan the files in the queue. Note that it can take up to 10 minutes from a new file introduction to the creation of a fully functional agent.

You can modify the threshold to which agents will begin spinning up. While the default is 1 file for the agent to begin creation, this feature obeys the Configuration > Event Settings page. The application will refer to the Scaling Threshold set for each region, or the default value if there isn't a custom configuration.

Read more about Smart Scanning here: Smart Scan

AWS S3 Buckets Protection

We offer more granular controls for each cloud provider that we offer scanning for. The settings here are relatively straightforward:

S3 Bucket Real-Time Protection

We enable Real-Time protection for all Amazon S3 Buckets, which means that once protection is running, any new files that are dropped in to any of these buckets will be scanned. The application runs a job once a day to poll for new buckets and adds them to protection if they are found.

S3 Bucket Monthly Schedule Protection

We create a Schedule that targets all Amazon S3 Buckets. This schedule fires off on the first day of every month. The application runs a job once a day to poll for new buckets and adds them to the schedule if they are found.

S3 Bucket Exclusion Lists

If you want to add exceptions to the buckets we protect or schedule scans for, this can be configured in the S3 Bucket Exclusion List and the S3 Region Exclusion List. Simply click the dropdown, find the relevant entry, and click 'Add Exclusion list'.

The S3 Bucket Exclusion List adds buckets that will be skipped, while the S3 Region Exclusion list adds entire regions that will be skipped. These rules apply for both Real-Time Protection and Monthly Schedule Protection.

In the example below, I've added 'jl-frombucket' to my Exclusion list and it will not be protected when Real-Time or Monthly Schedule Protection is turned on.

Azure Blob Protection

Similar to Amazon S3, we offer individual configuration settings for Azure Blob Containers.

Blob Container Real-Time Protection

We enable Real-Time protection for all Azure Blob Containers, which means that once protection is running, any new files that are dropped in to any of these buckets will be scanned. The application runs a job once a day to poll for new buckets and adds them to protection if they are found.

Blob Container Monthly Schedule Protection

We create a Schedule that targets all Azure Blob Containers. This schedule fires off on the first day of every month. The application runs a job once a day to poll for new buckets and adds them to the schedule if they are found.

If you want to add exceptions to the buckets we protect or schedule scans for, this can be configured in the S3 Bucket Exclusion List and the S3 Region Exclusion List. Simply click the dropdown, find the relevant entry, and click 'Add Exclusion list'.

Blob Container Exclusion Lists

The Blob Container Exclusion List adds buckets that will be skipped, while the Azure Region Exclusion list adds entire regions that will be skipped. These rules apply for both Real-Time Protection and Monthly Schedule Protection. Simply click the dropdown, find the relevant entry, and click 'Add Exclusion list'.

GCP Buckets Protection

The same concepts for AWS and Azure apply to GCP, except we don't offer Real-Time protection for GCP yet.

GCP Bucket Monthly Schedule Protection

We create a Schedule that targets all GCP Buckets. This schedule fires off on the first day of every month. The application runs a job once a day to poll for new buckets and adds them to the schedule if they are found.

If you want to add exceptions to the buckets we protect or schedule scans for, this can be configured in the GCP Bucket Exclusion List and the GCP Region Exclusion List. Simply click the dropdown, find the relevant entry, and click 'Add Exclusion list'.

GCP Bucket Exclusion Lists

The GCP Bucket Exclusion List adds buckets that will be skipped, while the GCP Region Exclusion list adds entire regions that will be skipped. These rules apply for both Real-Time Protection and Monthly Schedule Protection. Simply click the dropdown, find the relevant entry, and click 'Add Exclusion list'.

Additional Notes

Agent Network Configuration

Agents that we spin up for you will obey the networking configuration set in Configuration > Event Agent Settings. Note that we scan files on a Per Region basis, which means we create agents in each region that you have storage containers protected. The Agent Settings page allows unique configuration per region, we will obey those rules on a per-region basis and follow the Default rules if there isn't an explicit configuration set there.

For more information, refer to our Event Agent Settings documentation.

Container Protection Behavior

When there are existing Event Agent configurations in place, Protect All and Real-Time Protection don't overwrite those configurations. For example, if a bucket were already protected prior to Real-Time Protection's activation, it would remain even after Real-Time Protection were deactivated.

Protect 'bucket-1' ->Enable Protect All -> Disable Protect All ->'bucket-1' will remain protected

For Schedules, we create an entirely different schedule, it will behave like any other schedule and won't interfere with existing schedules set in place.

PreviousScan SettingsNextClassification Rule Sets

Last updated