Retroactive Scan
Important
Netskope supports one active retroactive scan per application instance. If you intend to scan the same content against multiple policies, you can do so by combining these policies together under a single retroactive scan.
A retroactive policy scans all the files and folders for the app instance right from the inception of the SaaS app. A retroactive scan is decoupled from ongoing (a.k.a future transaction) scan.
Creating a retroactive scan was part of the same policy wizard as the ongoing scan. A retroactive scan could be created on a single policy.
There were no SLAs defined to complete a retroactive scan.
There was no apparent indication of the status of the scan.
As part of the policy wizard, most customers selected the retroactive scan by default, although they used it for testing purposes. Once a retroactive scan was triggered, the administrator could not stop until the scan was complete, even if the administrator disabled the policy. Such scenarios added a heavy load on API Data Protection resulting in an overall degradation of performance.
This feature separates retroactive scan from the ongoing scan. The configuration workflow is as follows:
The API Data Protection policy wizard is divided into two - ongoing scan and retroactive scan.
The administrator creates an ongoing scan using the existing NEW POLICY wizard. This is the default behavior.
The administrator navigates to the RETROACTIVE SCANS page where all the retroactive scans are listed. The administrator can drill down to each scan to get additional details.
The administrator can group multiple ongoing policies for a SaaS app to create a single retroactive scan.
A life-cycle of a retroactive scan, in a nutshell, is as follows:
Create a Retroactive Scan > Fetch Files (fetch files from SaaS app based on the ongoing policy) > Fetch Files Phase Complete > Scan Files > Scan Files Phase Complete > Matched Policy.
In the UI, you can see the following status: In-Progress > Completed.
Create a Retroactive Scan Policy
You can create a retroactive scan for an existing ongoing policy. Ensure that at least one ongoing policy is available for a SaaS app. To configure a retroactive scan, follow the procedure below:
Navigate to Policies > API Data Protection.
Under the SaaS tab, click RETROACTIVE SCANS.
The Retroactive Scans page opens. This page displays a list of retroactive scans in different states; submitted, scan on-hold, in-progress, stopped, completed.
Click SUBMIT SCAN REQUEST.
The Configure Retroactive Scan window opens. Read the note in the UI before proceeding.
In RETROACTIVE SCAN NAME, enter a unique scan name.
Note
By default, the name is pre-populated in Retro_Name_[AppName]_[InstanceName]_YYYYMMDD format. You can overwrite the pre-populated name. However, you should ensure that the name is unique.
In SELECT POLICIES, select a SaaS app and instance from the Application and Instance drop-down lists respectively.
A list of ongoing policies for the SaaS app is listed.
Note
For a list of apps that support retroactive scan, see API Data Protection Policy Actions per Cloud App
From the ongoing policies list, select the policies for which you plan to create a retroactive scan.
Note
You cannot select an ongoing policy for which a retroactive scan is already in progress. You can select the policy once the retroactive scan is either stopped or completed.
Click SCAN.
The UI displays the total number of files and users to be scanned and the number of API calls to be made. Click OK to confirm the retroactive scan.
Note
If you have configured to receive email notifications under Policies > API Data Protection > SaaS, Netskope will send alerts to the configured email address.
Additional Functions
Here are the additional functions that you can perform on the Retroactive Scans page.
On the top-right section of the page, there is a scan filer. You can select either All Scans, In-Progress Scans, Stopped Scans, or Completed Scans option from the drop-down list. The UI filters the list based on the selection.
All Scans: All retroactive scans including in-progress, stopped, and completed.
In-Progress Scans: Retroactive scans that are running presently.
Stopped Scans: Retroactive scans that are stopped.
Completed Scans: Retroactive scans that are completed.
You can stop or delete a retroactive scan. Click the More Options icon (...) to the right of the retroactive scan entry and select Stop Retroactive Scan or Delete Retroactive Scan.
Note
You need to first stop an in-progress retroactive scan before deleting it.
You can view the details of a retroactive scan. Click the More Options icon (...) to the right of the retroactive scan entry and select View Scan Details. The Retroactive Scan Details panel appears on the right of the page. The panel displays the status of the scan and other policy details like scan start/end time, policy name, instance, folders scanning, DLP, action, and more.
Note
The policy hits on the Retroactive Scans page is the total hit counts of all policies. To know the per policy hit count, you can click View Scan Details and under the POLICIES TO SCAN section, you can view the per policy hit count.
Important Points to Remember
Once you start a retroactive scan, API Data Protection fetches the files from the SaaS app, scans, and completes the scan. You may notice that the scanned files count is not equal to the final matched policy count. This is because API Data Protection scans all the available objects in the SaaS app based on the policies selected. However, once complete, the matched policy count is the total number of objects that are triggered due to a DLP policy hit.
If multiple ongoing policies are clubbed together to create a single retroactive scan, the time taken to complete the scan may be determined by the policy with the maximum number of objects or users.
Netskope recommends combining multiple ongoing policies to create a retroactive scan. API Data Protection creates a super-set of policies, fetch, and scan objects accordingly. Also, API Data Protection makes live API calls to fetch files for the retroactive scan. If you combine ongoing policies in one retroactive scan, you can save on multiple API calls to the SaaS apps and optimize performance in case of overlapping policies.
You cannot edit or delete an ongoing policy which is part of an in-progress retroactive scan. Adding and deleting of an ongoing policy is possible once the retroactive scan is either stopped or complete.
The progress of the retroactive scan is based on the volume of ongoing changes. When the volume of ongoing changes are low (weekends and off-work hours), retroactive scans progress faster.