Tag Discovered SaaS Apps
Table of Contents
Tag Discovered SaaS Apps
Learn how to categorize discovered SaaS applications
on SaaS Security Inline as either trusted or untrusted.
SaaS Security Inline enables you to categorize discovered SaaS applications on Data Security to monitor users of SaaS apps more efficiently and filter
SaaS apps.
Tags
are local only to Data Security and will not be applied to your
firewall or Prisma Access.
There are two ways to apply
tags to SaaS applications on SaaS Security Inline:
- Default Tags—Apply predefined tags (for example, Unsanctioned or Sanctioned) to reflect whether or not your organization approves of the SaaS application.
- Custom Tags—Create and apply custom tags to group applications with common attributes to reflect how your organization views SaaS applications. For example, create and apply a Communication tag to Gmail.
If you activated the Cloud Identity Engine on your tenant,
and configured directory sync in Cloud Identity Engine for Azure AD or Okta
Directory, SaaS Security Inline can also provide tagging
recommendations. Specifically, SaaS Security Inline uses information from
the Cloud Identity Engine to determine if a detected app is an enterprise
application accessible through your identity provider. If the app is an enterprise
application, SaaS Security Inline will recommend that you tag the app as
Sanctioned. You can also open the Tag
Recommendations window from the Discovered Applications view. The
Discovered Applications view displays the Tag Recommendations action only if the
Cloud Identity Engine available with the necessary directory syncs
configured.
Apply Default Tags
Based on a SaaS application’s risk factors,
use the default tags available to categorize a SaaS application as
sanctioned or unsanctioned so that you can differentiate unsanctioned
SaaS apps from the other SaaS apps that are being used by employees in
your organization.
- Sanctioned—App sanctioned by your organization and being used by employees in your organization.
- Tolerated—App that isn’t trusted like a sanctioned app, but that is allowed to be used by employees until your organization is able to replace it with a more secure app so as not to inhibit the productivity of your users. However, consider creating SaaS policy rule recommendations for tolerated SaaS apps to implement restrictions on specific actions (for example, upload or download).
- Unsanctioned—App unsanctioned by your organization for use by employees in your organization.
- Unknown—Default for SaaS applications that you have not tagged.
- Navigate to SaaS Security Inline.To navigate to the Discovered Applications view, select Applications.Apply a default tag:
- (Single App) Locate the SaaS application that you want to tag. In the Actions column, select
Tag and choose the default tag.
![]()
- (Multiple Apps) Locate and select the SaaS applications that you want to bulk tag. Select the
Bulk Tag that you want to apply to the applications.
![]()
Create and Apply Custom Tags
SaaS applications in the Application Dictionary belong to an application category and subcategories to enable filtering, but you cannot modify these attributes. However, you can create your own categorization with custom tags. You can rename or delete a custom tag at any time. When you do, SaaS Security Inline updates or removes the tag from all SaaS apps that use that tag. You can create up to 100 custom tags. Custom tags display alongside default tags.- Navigate to SaaS Security Inline.To navigate to the Discovered Applications view, select Applications.Create the custom tag.
- Locate a SaaS application that you want to tag with a custom tag. In the Actions column, select Custom Tag.Add a New Tag by providing a descriptive name for the tag.
![]()
Apply a custom tag.- Locate a SaaS application that you want to tag with a custom tag.In the Actions column, select Custom Tag, and select the custom tag.
