Third-party apps
Discover SaaS applications, assess their reputation and exposure, and act on risky permissions across your organization.
Overview
Third-Party Apps gives security teams a consolidated view of SaaS applications detected through connected sources. Use it to investigate risky OAuth permissions, review application reputation and adoption, classify apps, and distribute supported issues to employees.
Open the module for your Elba region:
Navigate the workspace
The module has five tabs:
- Radar highlights the risks and inventory changes that need attention.
- Inventory lists detected applications and their accounts.
- Issues tracks security issues and their remediation status.
- Playbooks contains available automation templates and your configured workflows.
- Sources shows the connections that supply application data.
The sources and actions available to your organization depend on its connected integrations. Use the capability and connection status shown in Elba as the source of truth.
Use the Radar
The Radar contains seven current widgets:
- Risky usage for applications with risky permissions
- Critical & High risk CVEs for recently reported high-severity vulnerabilities
- Data Breaches for applications potentially affected by a reported breach
- Playbooks for configured workflows and available templates
- Discovered apps grouped by reputation status
- Shadow AI apps for AI applications that have not been explicitly approved
- Low adoption apps for applications with low user counts
Select See all on a widget to open the related filtered inventory. Use Export to download the Radar report when you need an offline review.
Review the inventory
The Inventory table displays:
- Application name
- Reputation score
- SSO adoption
- Exposure to risky permissions
- Account count
- Application status
Search by application name or filter by status, reputation, owner, source, hosting location, category, compliance information, CVEs, data breaches, AI classification, or risky permissions.
Reputation score
Elba maps the application score to four states:
- Trusted: 7 to 10
- Questionable: 5 to less than 7
- Untrusted: 0 to less than 5
- Not assessed: no score is available yet
The score is an investigation aid, not an approval decision. Review the application, publisher, permissions, users, and business need before changing its status.
Application status
Applications can have one of four statuses:
- Discovered for a newly detected application
- To review for an application awaiting a decision
- Approved for an application your organization permits
- Unapproved for an application your organization does not approve
Changing an application to Approved prevents new issues from being created for that application. Review existing issues and your organization's policy before approving it.
Application details
Select an application to open its details. The panel has two tabs:
- About shows the reputation assessment, risky permissions, data breaches, CVEs, available compliance reports, hosting locations, and DNS information.
- Accounts shows adoption, login methods, detected user accounts, and the account actions supported by each source.
The panel also lets you assign an owner, set business criticality, and update the application status.
Investigate issues
The Issues tab is the operational queue for detected account and permission risks. You can filter issues by member, group, source, status, dates, application status, application, publisher, category, hosting, compliance information, AI classification, reputation, risky permissions, CVEs, or data breaches.
Available bulk actions are determined by the source and issue state. They can include:
- Distribute issues to enrolled employees
- Ignore selected issues
- Revoke permissions where the source supports it
An issue is not automatically sent to an employee when it is detected. Distribution happens through an admin action or an active playbook.
Configure playbooks
Open Playbooks to select a template or create a workflow. The editor only offers triggers, conditions, and actions supported by the selected source. Depending on the template, a workflow can distribute permission-review issues or notify administrators about CVEs and data breaches.
Before activation:
- Confirm that the intended source is connected and synchronized.
- Review the trigger and every condition.
- Configure exclusions or an allow-list when the source supports them.
- Check who will receive the action and whether a notification is sent immediately.
- Activate the workflow and monitor its run history.
Notification timing is controlled by the workflow and communication settings; there is no universal fixed weekly schedule.
Employee remediation
Distributed issues appear in the employee's Checklist. For a Third-Party Apps issue, the employee can:
- Ignore the issue and continue using the application.
- Revoke the permissions when the connected source supports direct revocation.
If a source connection has an error, actions that change the source can be temporarily unavailable. Administrators retain the issue history and can act from the Issues tab.
Recommended review workflow
- Connect the relevant sources and wait for their initial synchronization.
- Start with Radar to identify risky usage, vulnerable apps, breaches, Shadow AI, and newly discovered apps.
- Open Inventory to verify the affected application, accounts, reputation, and business owner.
- Set the application to To review, Approved, or Unapproved according to your policy.
- Use Issues for account-level investigation and supported remediation.
- Add a playbook only after validating the intended audience, exclusions, and actions.