Effective December 31, 2024, the Cloud Storage Scanning service has reached End of Life.
Items found by Cloud Storage Scanning (CSS) are listed on the Cloud Storage Detections page. This data is historical and shows when items have been found, quarantined, deleted, or restored. If you have the Enable Quarantine toggle enabled in the CSS configuration, detected threats are quarantined and listed on the Cloud Storage Quarantine page. These items can be managed, allowing you to delete or restore them, removing them from the page.
CSS Detections
On the left navigation menu, go to Monitor > Cloud Storage Detections to view the following information for each detection record:
- Action Taken: Current status of the file, whether it was found, quarantined, deleted, or restored.
- Created At: Time the file was created.
- Detected At: Time the file was detected.
- File Name: Name of the file that was detected.
- Last Updated: Last time the detected file was updated.
- Last Updated By: Last user to update the file.
- Location: Directory of the detected file.
- MD5 hash: MD5 hash of the detected file.
- Owner: Original user to upload the detected file.
- Provider: Cloud storage provider where the file was detected.
- Scan Config: Name of the CSS configuration. Click this to view the scan configuration details.
- SHA256 hash: SHA256 hash of the detected file.
- Threat Name: Threat name of the detected file.
From this page, you can also manually trigger a scan by clicking Scan under the Actions column. Use this feature to bypass the schedule and scan the selected folders in the configured scan.
Data listed on this page is displayed in Coordinated Universal Time (UTC).
CSS Quarantine
To allow CSS to quarantine found threats automatically, toggle on the Enable Quarantine toggle in the CSS configuration. For more information, see the following links:
- Configure Cloud Storage Scanning for Box in Nebula
- Configure Cloud Storage Scanning for OneDrive in Nebula
- Configure Cloud Storage Scanning for Google Drive in Nebula
On the left navigation menu, go to Monitor > Cloud Storage Quarantine to view the following information for each quarantined item:
- File Name: Name of the file that was quarantined.
- Found date: Date the file was detected.
- Location found: Location the file was detected.
- Owner: Original user to upload the quarantined file.
- Provider: Cloud storage provider where the file was detected.
- Quarantine location: Location of the quarantined file.
- Threat Name: Threat name of the quarantined file.
Managing quarantine
Once a file is deemed malicious, it is replaced by a tombstone file, and the malicious file is sent to the configured quarantine folder. The purpose of the tombstone file is to alert the user that the file has been quarantined and advises the user to contact their cloud administrator for additional questions.
If the quarantined file is a false positive, select it and go to Actions > Restore. This will place the file back in its original location and restore access to any collaborators or users with the share link. Restored files are not scanned again until the file hash changes.
NOTICE - For OneDrive, previously shared links remain expired after the file is restored. A new link must be generated and shared again.
To delete the file from quarantine, go to Actions > Delete. The file is sent to the administrator's trash in the cloud storage provider. If the file was deleted by mistake, go to the administrator's trash in the cloud storage provider and restore it from trash. Files in the trash may be deleted permanently after a set amount of time. Reference your cloud storage provider's settings to configure that time.
Return to Cloud Storage Scanning guide.