AI Access Security
Discover Risks Posed By GenAI Apps
Table of Contents
Discover Risks Posed by GenAI Apps
Discover risks posed by generative AI (GenAI) applications based on the use case,
allowed traffic, data in motion or at rest, risky application, or application
users.
Where Can I Use This? | What Do I Need? |
|---|---|
| One of the following:
|
Use the
AI Access Security
Insights dashboard to filter the generative AI
(GenAI) application usage on your network. The AI Access Security
Insights dashboard provides in-depth details to help you understand which GenAI apps
are being used and by who.Discover Risks Posed by GenAI Apps by Use Case
Discover risks posed by generative AI (GenAI) applications based on the GenAI
application use case.
Review the Supported Use Cases for full descriptions of all use
case categories that a GenAI app falls into.
- Log in toStrata Cloud Manager.
- Select to view theAI Access SecurityInsights dashboard.TheAI Access SecurityInsights dashboard displays GenAI application usage on your network by use case by default as well as the following high-level information about your top GenAI use cases:
- 1. Time FilterFilter your GenAI use case breakdown for the time period you want to investigate. You can selectPast 1 Hour,Past 3 Hours,Past 24 Hours,Past 7 Days, orPast 30 Days.
- 2. Top Use CasesTheAI Access SecurityInsights dashboard dynamically displays the top four GenAI app use cases based on activity on your network. This allows you to quickly investigate security incidents related to your most widely used GenAI apps and implement access control policy rules.
- Applications—Total number of GenAI apps that fall into the particular use case. A line graph provides an at-a-glance breakdown of Sanctioned, Tolerated, and Unsanctioned GenAI apps.
- Users—Total number of users who accessed any GenAI app that falls into the particular use cases.
- 3. All Other Use Cases
- Applications—Total number of GenAI apps that fall into any other GenAI app use case. A line graph provides an at-a-glance breakdown of Sanctioned, Tolerated, and Unsanctioned GenAI apps.
- Users—Total number of users who have accessed any GenAI app that falls into any other GenAI app use case.
- 4. Threats DetectedThreats are detected by the Vulnerability Protection profile attached to the Web Security policy rule. This profile detects threats such as malicious and phishing URLs, malicious files, or malware. TheThreats Detectedis a summary of all threats across all GenAI apps and enforcement points.
- Alerted—Total number of threats detected that generated an alert.
- Blocked—Total number of threats detected that were blocked by yourNGFWorPrisma Accesstenants.
- 5. Sensitive Data DetectedSensitive data is detected when traffic matches the match criteria in yourEnterprise Data Loss Prevention (E-DLP)data profile.
- Alerted—Total number of DLP Incidents that generated an alert.
![]()
- Review use caseto see a detailed breakdown of all Sanctioned, Tolerated, and Unsanctioned GenAI apps in the use case you're interested in.
- Review the use case details page to understand GenAI applications usage.The use case details page provides granular data about the GenAI app usage. You can use this information to understand GenAI app usage to help inform you of what policy rules your security administrators need to write to strengthen your security posture. This ensures that your organization is safely adopting GenAI apps and to prevent exfiltration of sensitive data.
- 1. Use Case SummaryThe use case summary aggregates all important GenAI app usage information for the use case you're investigating.
- Most Used Applications—The most used GenAI application for the use case. This also includes the application tag (Sanctioned,Tolerated, orUnsanctioned) currently assigned to the GenAI app.
- Application Breakdown—Summary of the total number of GenAI apps associated with the use case as well as a summary of the application tags across all detected GenAI apps.
- User Breakdown—Summary of the total number of users who accessed any of the GenAI apps associated with the use case. A summary of how many users accessedSanctioned,Tolerated, orUnsanctionedGenAI apps is also provided.
- 2. ApplicationsA list of all GenAI apps associated with the use case accessed by your users. You can apply aSort Byfilter to the use case GenAI apps to sort them byUser Count,Threats Count,Transferred Count. GenAI apps are sorted from highest to lowest count.The applications list displays the following information about each GenAI app detected.
- Application Name—Name of the detected GenAI app. Click the app name to view detailed usage information. You're redirected to the Activity InsightsApplications
- Tag—Current GenAI application tag. You can apply a new tag by clicking the tag you want to apply.Palo Alto Networksgroups the child app-IDs for app functionality in a container App-ID. However, tagging an App-ID container is not supported. You must individually tag the specific child App-ID that are sanctioned, unsanctioned, or tolerated within your organization.
- Users—Total number of users who accessed the GenAI app. Click the user count to see a list of all the users.
- Threats—Total number of detected threat activity.
- Transferred—Total amount of data in gigabyte (GB) uploaded to or downloaded from the GenAI app.
- Sensitive Asset—Number of DLP incidents generated due to sensitive data detected and blocked byEnterprise Data Loss Prevention (E-DLP).
- Enterprise Available—Indicates whether the GenAI app offers an enterprise plan or license schema.
- Data Used in ML—Indicates whether the GenAI app uses user-uploaded data for training purposes.
- Risk Score—Risk score of the GenAI app.
- 3. Use Case Highlights
- Applications—Total number of GenAI apps that fall into any other GenAI app use case. A line graph provides an at-a-glance breakdown of Sanctioned, Tolerated, and Unsanctioned GenAI apps.
- Users—Total number of users who have accessed any GenAI app that falls into any other GenAI app use case.
- 5. Recommended Actions
- Alerted—Total number of DLP Incidents that generated anAlertacross all GenAI apps associated with the use case.
- Blocked—Total number of DLP incidents that wereBlockedacross all GenAI apps associated with the use case.
![]()
- Create a custom Security policy rule to control access to a GenAI application.In the example above,Openai-Baseis the most used GenAI app in theCode Assistant & Generatoruse case. Additionally, this is anUnsanctionedapplication and indicates this an application not approved for use on your corporate network.In this case, you can modify the default GenAI access policy rule to explicitly block all access toOpenAIif this is an application your organization should not access.
Discover Risks Posed by GenAI Apps by Risky Apps
Discover risky generative AI (GenAI) applications accessed on your
network.
- Log in toStrata Cloud Manager.
- Select .
- Configure the filters for the application list to narrow down the GenAI apps you want to investigate.
- Configure theTime RangeandScope Selectionto filter for the specific time range and enforcement point you want to investigate.
- Add Filterand add the following filters.
- Source Type - Users—Filters the list of applications to only display GenAI apps accessed by users in your organization. This is a required filter.
- GenAI Application - TRUE—Filters the list of application to only display GenAI apps. This is a required filter.
- App Risk Score—For theApp Risk Scorefilter, select the specific risk score you want to investigate. All GenAI applications are displays if you don't select at least one risk score.In this example, we are investigating applications with a risk score of4and5because these are the risk scores attributed to the riskiest applications.
- Review the list filtered GenAI applications.Some important information to review is:
- Application Name—App-ID of the GenAI app.
- Data Usage—Amount of data uploaded to or downloaded from the GenAI app. This can help you understand the GenAI app usage; a GenAI app with a large volume of data usage could mean that this app is widely used and might need strict controls to prevent exfiltration of sensitive data and malicious actors.
- Tags—Current application tag for the GenAI app. If some of the listed GenAI apps are approved for use, you can modify the tag toToleratedorSanctioned.Palo Alto Networksgroups the child app-IDs for app functionality in a container App-ID. However, tagging an App-ID container is not supported. You must individually tag the specific child App-ID that are sanctioned, unsanctioned, or tolerated within your organization.
![]()
- Create a custom Security policy rule to control access to a GenAI application for specific users.For example, based on your investigation you discover that there are multiple unsanctioned GenAI apps with a large volume of data usage. This poses a security risk because there are users accessing an unapproved app on the network and you don't know what data is being downloaded or uploaded. Until you can perform proper due diligence to understand the GenAI app purpose and who is permitted to use the GenAI app, you canBlockthe GenAI app for all users.Conversely, you notice there are someUnsanctionedGenAI apps listed that but they are GenAI apps approved for use on your network by specific users with a large volume of data usage. In this case, you can change the tag toSanctionedand write a policy rule toAllowusage of the application but only for users in specific roles or departments. In the policy rule you can associate anEnterprise Data Loss Prevention (E-DLP)data profile to prevent exfiltration of sensitive data and a Vulnerability profile to stop attempts to exploit system flaws or gain unauthorized access to systems.
Discover Risks Posed by GenAI Apps by App Users
Discover the risks posed by risky users accessing generative AI (GenAI)
applications.
- Log in toStrata Cloud Manager.
- Select to view theAI Access SecurityInsights dashboard.This displays the top GenAI apps that risky users accessed to help narrow your focus.
- ClickReview use casefor the GenAI app Use Case associated with the GenAI app your risky users are accessing.TheAI Access SecurityInsights dashboard displays the GenAI application accessed on your network by use case by default and displays the following high-level information about your top GenAI app users. Click on the user count o view theUser NameorIP Addressand the number of GenAIApplicationsthat user accessed.
- User BreakdownThe provides a summary of the total number of users accessing any GenAI app associated with the selected GenAI use case. A breakdown is provided of how many users are accessingSanctioned,Tolerated, andUnsanctionedapplications.ClickTotal Usersto view a list of all users accessing GenAI apps associated with the selected use case.
- Users by GenAI Use CaseThis provides a summary of the total number of users accessing each individual GenAI app associated with the selected GenAI use case. TheSanctioned,Tolerated, andUnsanctionedGenAI apps are listed with the total user count for each individual app.Apply theUser CountSort Byfilter to sort GenAI apps from higher to lowest user count.
![]()
- Create a custom Security policy rule to control access to a GenAI application for specific users.For example, based on your investigation you discover that a large number of users are accessing thebing-ai-uploadingGenAI app. While this is aSanctionedGenAI, it's only sanctioned for a specific set of users within your organization. You can decide to write a policy rule to explicitly block access to users which shouldn't have access to this GenAI app to prevent misuse and a Security policy rule to explicitly allow access to users who are approved to access the GenAI app. Alternatively, you can write a policy rule to allow access for all users but implement data loss and threat prevention measures to prevent exfiltration of sensitive data and prevent threats such as malicious and phishing URLs, malicious files, or malware.
