Tag Discovered SaaS Apps
Focus
Focus
SaaS Security

Tag Discovered SaaS Apps

Table of Contents

Tag Discovered SaaS Apps

Learn how to categorize discovered SaaS apps on SaaS Security Inline as either trusted or untrusted.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • SaaS Security Inline license
  • NGFW or Prisma Access license
Or any of the following licenses that include the SaaS Security Inline license:
  • CASB-X
  • CASB-PA
SaaS Security Inline enables you to categorize discovered SaaS apps on Data Security to monitor users of SaaS apps more efficiently and filter SaaS apps.
Tags are local only to Data Security and won’t be applied to your NGFW or Prisma Access.
There are two ways to apply tags to SaaS apps on SaaS Security Inline:
  • Default Tags—Apply predefined tags (for example, Unsanctioned or Sanctioned) to reflect whether or not your organization approves of the SaaS app.
  • Custom Tags—Create and apply custom tags to group apps with common attributes to reflect how your organization views SaaS apps. For example, create and apply a Communication tag to Gmail.
If you activated the Cloud Identity Engine on your tenant, and configured directory sync in Cloud Identity Engine for Azure AD or Okta Directory, SaaS Security Inline can also provide tagging recommendations. Specifically, SaaS Security Inline uses information from the Cloud Identity Engine to determine if a detected app is an enterprise app accessible through your identity provider. If the app is an enterprise app, SaaS Security Inline will recommend that you tag the app as Sanctioned. You can also open the Tag Recommendations window from the Discovered Applications view. The Discovered Applications view displays the Tag Recommendations action only if the Cloud Identity Engine available with the necessary directory syncs configured.

Apply Default Tags

Based on a SaaS app’s risk factors, use the default tags available to categorize a SaaS app as sanctioned or unsanctioned so that you can differentiate unsanctioned SaaS apps from the other SaaS apps that are being used by employees in your organization.
  • Sanctioned—App sanctioned by your organization and being used by employees in your organization.
  • Tolerated—App that isn’t trusted like a sanctioned app, but that is allowed to be used by employees until your organization is able to replace it with a more secure app so as not to inhibit the productivity of your users. However, consider creating SaaS policy rule recommendations for tolerated SaaS apps to implement restrictions on specific actions (for example, upload or download).
  • Unsanctioned—App unsanctioned by your organization for use by employees in your organization.
  • Unknown—Default for SaaS apps that you have not tagged.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationSaaS SecurityDiscovered AppsApplications.
  3. Apply a default tag:
    • (Single App) Locate the SaaS app that you want to tag. In the Actions column, select Tag and choose the default tag.
    • (Multiple Apps) Locate and select the SaaS apps that you want to bulk tag. Select the Bulk Tag that you want to apply to the apps.

Create and Apply Custom Tags

SaaS apps in the Application Dictionary belong to an application category and subcategories to enable filtering, but you cannot modify these attributes. However, you can create your own categorization with custom tags. You can rename or delete a custom tag at any time. When you do, SaaS Security Inline updates or removes the tag from all SaaS apps that use that tag. You can create up to 100 custom tags. Custom tags display alongside default tags.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationSaaS SecurityDiscovered AppsApplications.
  3. Create the custom tag.
    1. Locate a SaaS app that you want to tag with a custom tag. In the Actions column, select Custom Tag.
    2. Add a New Tag by providing a descriptive name for the tag.
  4. Apply a custom tag.
    1. Locate a SaaS app that you want to tag with a custom tag.
    2. In the Actions column, select Custom Tag, and select the custom tag.