Real-Time and On-Demand Scanning

Cloud App Security searches for security risks and undesirable data by scanning messages and their attached files in email services, files stored in other cloud applications, object records such as documents and feed posts in Salesforce, and messages in private Teams chats.

Cloud App Security performs real-time scans and on-demand (manual) scans. When detecting malicious or undesirable content, Cloud App Security automatically takes action against the email message, file, Salesforce object record, or Teams chat message according to scanning rules. Configure policies to scan specific targets and then take certain action or send a notification based on the security risk.


Manual scan is not applicable for Microsoft Teams (Chat) and Salesforce.

By default, Cloud App Security scans all possible email messages, files, Salesforce object records, and private Teams chats in the cloud applications and services it protects. Scannable files include any file that is not encrypted, password protected, or exceeds user-configured scanning restrictions.

Real-time scanning and on-demand scanning apply to Advanced Threat Protection policies and Data Loss Prevention policies.

Real-Time Scan

Cloud App Security scans the following in real time:

  • For email services, scanning occurs when an email message arrives at a protected mailbox.

  • For cloud storage applications, scanning occurs when a user uploads, creates, synchronizes, or modifies a file.

  • For Salesforce, scanning occurs when a user updates an object record.

  • For Teams Chat, scanning occurs when a user sends a private chat message.

Manual Scan

Cloud App Security provides two manual scan types:

  • Scan and protect: Analyzes email messages or files, and takes action upon detecting any violation triggering the selected policy.

  • Scan only: Analyzes email messages or files, logs the analysis, and delivers the messages or files to users without taking any action configured in the selected policy. This helps evaluate the Cloud App Security performance with zero impact on mail flow and file sharing.


    This scan type applies to Office 365 services and Gmail only.

Run a manual scan to ensure that Cloud App Security scans all messages and files. Completely scanning cloud applications and services in this way minimizes the risk of advanced threats or data protection violations. A manual scan affects all users, groups and sites; however optionally configure Cloud App Security to scan specific targets, as needed.

Cloud App Security generates and sends a comprehensive report after a manual scan to specified users, consolidating the scan results and displaying detailed information.

Manual scan requirements:

  • For a full license, run a manual scan on up to 31 days of data.


    A trial license supports a manual scan only on one day of data, and a manual scan covers 25 mailboxes, 5 SharePoint sites, 5 teams, or 5 cloud application service accounts.

  • Run only one manual scan for one kind of policy at a time.

    For example, you can perform a manual scan for Exchange Data Loss Prevention policies and SharePoint Online Data Loss Prevention policies at the same time. You cannot simultaneously perform two manual scans for Exchange Data Loss Prevention policies.