View Usage Data for Unsanctioned SaaS Apps
Table of Contents
Expand all | Collapse all
-
-
- Allowed List of IP Addresses
-
- Begin Scanning a Bitbucket App
- Begin Scanning a Box App
- Begin Scanning ChatGPT Enterprise App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a Gmail App
- Begin Scanning a Google Cloud Storage App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Azure Storage App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning Office 365 Apps
- Begin Scanning a Microsoft Teams App
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a ShareFile App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Reauthenticate to a Cloud App
- Verify Permissions on Cloud Apps
- Start Scanning a Cloud App
- Rescan a Managed Cloud App
- Delete Cloud Apps Managed by Data Security
- API Throttling
- Configure Classification Labels
- Microsoft Labeling for Office 365
- Google Drive Labeling
- Configure Phishing Analysis
- Configure WildFire Analysis
-
-
-
- What is an Incident?
- Assess New Incidents on Data Security
- Filter Incidents
- Configure Slack Notification Alerts on Data Security
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Analyze Inherited Exposure
- Email Asset Owners
- Modify Incident Status
-
-
-
- What’s SaaS Security Inline?
- Navigate To SaaS Security Inline
- SaaS Visibility for NGFW
- SaaS Visibility and Controls for NGFW
- SaaS Visibility for Prisma Access
- SaaS Visibility and Controls for Panorama Managed Prisma Access
- SaaS Visibility and Controls for Cloud Managed Prisma Access
- Activate SaaS Security Inline for NGFW
- Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits
- Activate SaaS Security Inline for Prisma Access
- Connect SaaS Security Inline and Strata Logging Service
- Integrate with Azure Active Directory
-
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Predefined SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
-
- Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Manage Enforcement of Rule Recommendations on NGFW
- Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access
- Change Risk Score for Discovered SaaS Apps
-
-
-
-
- Onboarding Overview for Supported SaaS Apps
- Onboard an Aha.io App to SSPM
- Onboard an Alteryx Designer Cloud App to SSPM
- Onboard an Aptible App to SSPM
- Onboard an ArcGIS App to SSPM
- Onboard an Articulate Global App to SSPM
- Onboard an Atlassian App to SSPM
- Onboard a BambooHR App to SSPM
- Onboard a Basecamp App to SSPM
- Onboard a Bitbucket App to SSPM
- Onboard a BlueJeans App to SSPM
- Onboard a Box App to SSPM
- Onboard a Bright Security App to SSPM
- Onboard a Celonis App to SSPM
- Onboard a Cisco Meraki App to SSPM
- Onboard a ClickUp App to SSPM
- Onboard a Confluence App to SSPM
- Onboard a Contentful App to SSPM
- Onboard a Convo App to SSPM
- Onboard a Couchbase App to SSPM
- Onboard a Coveo App to SSPM
- Onboard a Crowdin Enterprise App to SSPM
- Onboard a Customer.io App to SSPM
- Onboard a Databricks App to SSPM
- Onboard a Datadog App to SSPM
- Onboard a DocHub App to SSPM
- Onboard a DocuSign App to SSPM
- Onboard an Envoy App to SSPM
- Onboard an Expiration Reminder App to SSPM
- Onboard a Gainsight PX App to SSPM
- Onboard a GitLab App to SSPM
- Onboard a Google Analytics App to SSPM
- Onboard a Google Workspace App to SSPM
- Onboard a GoTo Meeting App to SSPM
- Onboard a Grammarly App to SSPM
- Onboard a Harness App to SSPM
- Onboard a Hellonext App to SSPM
- Onboard an IDrive App to SSPM
- Onboard an Intercom App to SSPM
- Onboard a Jira App to SSPM
- Onboard a Kanbanize App to SSPM
- Onboard a Kanban Tool App to SSPM
- Onboard a Kustomer App to SSPM
- Onboard a Lokalise App to SSPM
- Onboard a Microsoft Azure AD App to SSPM
- Onboard a Microsoft Outlook App to SSPM
- Onboard a Microsoft Power BI App to SSPM
- Onboard a Miro App to SSPM
- Onboard a monday.com App to SSPM
- Onboard a MongoDB Atlas App to SSPM
- Onboard a MuleSoft App to SSPM
- Onboard a Mural App to SSPM
- Onboard an Office 365 App to SSPM
- Onboard an Okta App to SSPM
- Onboard a PagerDuty App to SSPM
- Onboard a RingCentral App to SSPM
- Onboard a Salesforce App to SSPM
- Onboard an SAP Ariba App to SSPM
- Onboard a ServiceNow App to SSPM
- Onboard a Slack Enterprise App to SSPM
- Onboard a Snowflake App to SSPM
- Onboard a SparkPost App to SSPM
- Onboard a Tableau Cloud App to SSPM
- Onboard a Webex App to SSPM
- Onboard a Workday App to SSPM
- Onboard a Wrike App to SSPM
- Onboard a YouTrack App to SSPM
- Onboard a Zendesk App to SSPM
- Onboard a Zoom App to SSPM
- Onboarding an App Using Azure AD Credentials
- Onboarding an App Using Okta Credentials
- Register an Azure AD Client Application
- View the Health Status of Application Scans
- Delete SaaS Apps Managed by SSPM
View Usage Data for Unsanctioned SaaS Apps
Get visibility into untrusted SaaS applications that
your employees are using.
SaaS Security Inline identifies the SaaS applications that your employees are using by inspecting
network traffic populated from Strata Logging Service logs.
For comprehensive results, wait up to 24 hours
after you activate SaaS Security Inline on your platform to gain
insight into your SaaS applications.
- Navigate to SaaS Security Inline.
- Select one of the following views:ViewShows you:Helps you:Dashboard ViewGraphical view that summarizes the overall usage of SaaS applications that are in use in your organization.Assess your overall security posture before you drill down into risk data for individual SaaS applications.Discovered Applications ViewList view of SaaS applications in use in your organization.Learn about the SaaS applications that are in use and how many users are accessing them. Use the filter and sort capabilities to analyze metrics andApp Detailsto assess risks.Discovered Users ViewList view of users in your SaaS application ecosystem and their individual, aggregated SaaS application usage.Learn about the users that are accessing discovered SaaS applications. You can filter users by SaaS applications that are important to your organization (for example, high risk apps or social media apps).Application Detail ViewDetail view with risk factors (attributes) for the SaaS applications in use in your organization.Drill down into individual SaaS applications in use in your organization to view details about the SaaS application, its application vendor, and compliance with regulatory standards.Application Dictionary ViewCatalog of SaaS applications with ability to drill down into attributes for numerous industry-wide SaaS applications and those currently in use in your organization.Data includes information about the application, vendor, compliance, and risk characteristics that underlie those SaaS applications.Research the SaaS application, its vendor, and compliance with regulatory standards, then evaluate the risk for a given SaaS application to your organization before you decide to tag it as a sanctioned SaaS application.Policy Recommendations ViewSaaS policy rule recommendations enable you to recommend Security policy rules to your Palo Alto Networks firewall administrator.Remediate risks of unsanctioned SaaS applications and user risky behavior.
Dashboard View
The SaaS Visibility Dashboard view
summarizes the overall usage of SaaS applications that are in use
in your organization, the risk score for these SaaS applications,
and the number of users that are using them.
![](/content/dam/techdocs/en_US/dita/_graphics/uv/saas-security/cmc-inline-dashboard.png)
The following table describes the areas of the Dashboard view.
Dashboard | |
---|---|
Time Range | Filter the dashboard to view overall usage
within a particular time range. You can filter the dashboard to
view usage for the last 7, 30 or 90 days. The default time range
is 90 days for new sessions. |
Applications by Risk | Discovered SaaS application by risk level.
Move your cursor over each circle bar to display the number of associated
SaaS applications within each risk level. Display the data
using the icons provided:
|
Top 10 Categories by Applications | Categories with
the most Usage and Applications . View
all Categories to navigate to the complete Discovered Applications . |
Top 10 Applications by Usage | SaaS applications with the most Usage and Users of SaaS
applications in your app ecosystem. View all Applications to navigate
to the list of Discovered Applications . |
Discovered Applications View
This Discovered Applications view
displays a list of SaaS applications that are in use in your organization, as
well as their risk and usage details.
![](/content/dam/techdocs/en_US/dita/_graphics/uv/saas-security/cmc-discovered-apps-view.png)
The following table describes the areas of the Discovered Applications view.
Discovered Applications | |
---|---|
![]() | Filter by Time Range: Risk, Category, Tags, Rules, Custom
Tags to render a dataset for the selected time frame.
Your filter selection persists across the session. Default time
range is 90 days for new sessions. |
Applications by Risk | Graph that displays the total number of
SaaS applications in your organization that are Low, Medium,
or High risk score. |
Applications by Tag | Graph that displays the total number of SaaS applications in your organization by tag. |
Configure Global Risk Score | Capability to assign unequal
weights to the attributes that underlie each SaaS application’s
risk score. |
![]() | Search SaaS applications in use by Application Name only. |
Bulk Tag | Tags to help
you assign a policy decision to your selected SaaS applications.
This action is available only after you select one or more applications
in the table. |
Change Risk Score | Change the risk score for
the selected SaaS application. This action is available only after
you select one or more applications in the table. |
Download CSV ![]() | Export of the results (dataset) of the Discovered
SaaS apps in CSV file format. To view this element you
must be Super Admin role or Admin role, and not Read Only Admin
role. |
Tag Recommendations
| The Tag Recommendations action is displayed only if you activated the Cloud Identity Engine on your tenant, and configured directory sync in Cloud Identity Engine for Azure AD or Okta Directory. When these conditions are met, SaaS Security Inline can provide tagging recommendations. Specifically, SaaS Security Inline uses information from the Cloud Identity Engine to determine if a detected app is an enterprise application accessible through your identity provider. If the app is an enterprise application, SaaS Security Inline will recommend that you tag the app as Sanctioned. |
Application Name | SaaS
application name as it’s known in the industry. |
Risk | Default,
manual, or custom risk score for the
SaaS application. |
Tenants
|
If SaaS Security Inline supports tenant-level detection for the
SaaS Application, the number of separate application instances
or tenants that were accessed by users. Click on the link to go
to the Tenant Details view, which lists all of the tenants for
SaaS Application.
Because PAN-OS can detect individual
tenants only from unencrypted traffic, SSL decryption must be
enabled on the firewall. If SSL decryption is not enabled on the
firewall, or if tenant-level detection is not supported for the
SaaS application, this column displays 0. |
Category | SaaS application’s service category. For
example, Google Meet is categorized as Internet Conferencing. |
Rules | SaaS policy rule recommendations that apply
to the SaaS application. |
Tag | Tags that you
assigned to these SaaS applications. If you haven’t tagged a SaaS
application, it is automatically tagged as Unknown. |
Users | Displays
the total number of users of the SaaS application. Click on the
link to go to the Discovered Users view with the necessary filters
applied to display a list of those users and related activity. From
this Discovered View, you can export a list of the usernames. |
Usage | Number
of bytes transferred for the selected app. |
Upload | Number of bytes uploaded for the selected
app. |
Download | Number of bytes downloaded for the selected
app. |
Custom Tags | Tags that you
assigned to the SaaS application. |
Actions | Actions
to:
|
![]() |
Give App Feedback icon. Click this icon to send us feedback about
the application and attribute information that is displayed in
SaaS Security Inline. For example, you can notify us of outdated
attributes or adjustments you think we should make to an application's
risk score. You can also request new applications or
attributes. Our application research team will review all
feedback and will schedule product updates on an individual
basis. You can submit feedback up to 10 times each day.
|
Discovered Users View
The Discovered Users view displays
a list of known users in your organization and their application
usage aggregated across all discovered SaaS applications from which
you can apply filters to customize the view.
SaaS Security Inline discovers users by using Strata Logging Service logs,
specifically the source_user_info field. If the firewall
forwards a log to Strata Logging Service and this field is not populated for
a given user, SaaS Security Inline considers that user unknown. The
SaaS Security web interface excludes all application usage data for unknown
users.
If you activated the Cloud Identity Engine on
your tenant and configured directory sync in Cloud Identity Engine for one or more
instances of Azure AD, SaaS Security Inline attempts to match the users it
discovered from Strata Logging Service logs with user information from Azure
AD. If SaaS Security Inline can match the discovered users to Azure AD information,
SaaS Security Inline gets additional details about the user, such as the user's
department, region, and manager.
![](/content/dam/techdocs/en_US/dita/_graphics/uv/saas-security/cmc-discovered-users-view.png)
The following table describes the areas of the Discovered Users view.
Discovered Users | |
---|---|
Add Filter |
Filter by Time Range to render a dataset
for the selected time frame. Your filter selection persists
across the session. Default time range is 90 days for new
sessions.
Add additional filters to filter by user attributes, such as Apps
Used, Tenants, and Users. Some filters apply to user information
that SaaS Security Inline obtains from Azure AD through the
Cloud Identity Engine. These filters include filters for a
user's Role, Department, and Region.
|
User Name | Sort column to display users alphabetically. |
![]() | Search that enables you to identify distinct
users across filtered and unfiltered apps. |
Applications Used | The number of applications that the user accessed. Click on the number of applications to drill down into details about the applications. |
Tenants
|
If SaaS Security Inline supports tenant-level detection for the
SaaS Application, the number of separate application instances
or tenants that were accessed by the user. Click on the link to
go to the Tenant Details view, which lists all of the SaaS
application tenants that the user accessed.
Because PAN-OS can detect individual
tenants only from unencrypted traffic, SSL decryption must be
enabled on the firewall. If SSL decryption is not enabled on the
firewall, or if tenant-level detection is not supported for the
SaaS application, this column displays 0. |
Sessions | Total number of login sessions across filtered
and unfiltered apps. |
Total Usage | Number
of bytes transferred by the user across filtered or unfiltered apps. |
Upload | Number of bytes uploaded by the user across
filtered or unfiltered apps. |
Download | Number of bytes downloaded by the user across
filtered or unfiltered apps. |
Last Session | Last session initiated by the specific user. |
Email
|
The user's email address. SaaS Security Inline obtains this
information from Azure AD through the Cloud Identity Engine.
This column displays only if the Cloud Identity Engine is
activated on your tenant.
|
Active Directory Account
|
If SaaS Security Inline obtained additional information about the
user from Azure AD through the Cloud Identity Engine, the name
of the Azure AD instance that contains the user information.
|
Role
|
The user's role within your organization. SaaS Security Inline
obtains this information from Azure AD through the Cloud
Identity Engine. This column displays only if the Cloud Identity
Engine is activated on your tenant.
|
Department
|
The department to which the user belongs. SaaS Security Inline
obtains this information from Azure AD through the Cloud
Identity Engine. This column displays only if the Cloud Identity
Engine is activated on your tenant.
|
Region
|
The user's country or region of residence. SaaS Security Inline
obtains this information from Azure AD through the Cloud
Identity Engine. This column displays only if the Cloud Identity
Engine is activated on your tenant.
|
Manager Name
|
The user's manager. SaaS Security Inline obtains this information
from Azure AD through the Cloud Identity Engine. This column
displays only if the Cloud Identity Engine is activated on your
tenant.
|
Download CSV ![]() | Export the results (dataset) for all users
to a CSV file. To view this element you must be Super
Admin role or Admin role, and not Read Only Admin role. |
Application Detail View
The Application Detail view displays
details about the application, application vendor, and compliance
with regulatory standards for the selected SaaS application that
is in use in your organization.
![](/content/dam/techdocs/en_US/dita/_graphics/uv/saas-security/saas-visibility-app-details-highres.png)
Application Detail | |
---|---|
Application Type | Product’s
service category. For example, SugarCRM is categorized as ERP. |
Risk Score | Displays the risk score for
the SaaS application. |
Status | Default Tag (aka Sanctioned
Status) that you assigned to the SaaS application. |
Custom Tags | Tags that you
assigned to the SaaS application. |
Policy Recommendations | Recommendations that
define this SaaS application. |
Block Access | Quick method to create a recommendation that
blocks access to this SaaS application. |
Users | Total number of users of the selected SaaS application. |
Usage | Total volume of traffic, both uploads and
downloads, transferred by users of the selected the SaaS application. |
Upload | Total number of bytes uploaded for the selected
SaaS application. |
Download | Number of bytes downloaded by the user across
filtered or unfiltered apps. |
Basic Info | Vendor and market information about this
SaaS application, including NPS. |
![]() | Search that enables you to find compliance
attributes by name of a specific compliance regulation, standard,
framework, or certification. |
Configure Global Risk Score | Capability to assign unequal
weights to the attributes that underlie each SaaS application’s
risk score. |
Security and Privacy | Security attributes to
help you assess if this SaaS application meets your organization’s
security policies. |
Compliance | Compliance information to
help you assess if this SaaS application meets your organization’s
security policies. |
Risk Score | SaaS application’s risk score . |
![]() |
Give App Feedback icon. Click this icon to send us feedback about
the application and attribute information that is displayed in
SaaS Security Inline. For example, you can notify us of outdated
attributes or adjustments you think we should make to an application's
risk score. You can also request new applications or
attributes. Our application research team will review all
feedback and will schedule product updates on an individual
basis. You can submit feedback up to 10 times each day.
|
Application Dictionary View
The Application Dictionary view
simplifies the process of identifying SaaS applications that are
security risks. You can use this dictionary as impartial security
analysis to help you evaluate a given SaaS application.
![](/content/dam/techdocs/en_US/dita/_graphics/uv/saas-security/cmc-application-dictionary-view.png)
The following table describes the areas of the Application Dictionary view.
Application Dictionary | |
---|---|
![]() | |
View Details | Displays App Details for
the SaaS application, including SaaS application characteristics
such as Vendor Attributes and Compliance Attributes. |
Application Name | The
SaaS application name as it’s known in the industry. |
Risk | Displays the risk score for
the SaaS application. |
Category | Product’s
service category. For example, SugarCRM is categorized as ERP. |
![]() | Search that enables you to find SaaS applications
by category and Application Name . |
![]() |
Give App Feedback icon. Click this icon to send us feedback about
the application and attribute information that is displayed in
SaaS Security Inline. For example, you can notify us of outdated
attributes or adjustments you think we should make to an application's
risk score. You can also request new applications or
attributes. Our application research team will review all
feedback and will schedule product updates on an individual
basis. You can submit feedback up to 10 times each day.
|
Policy Recommendations View
The Policy Recommendations view
enables you to filter on or search for the SaaS rule recommendations you
created or edited and determine if those rules were approved by
your firewall administrator or pending.
![](/content/dam/techdocs/en_US/dita/_graphics/uv/saas-security/cmc-policy-rec-view.png)
The following table describes the areas of the Policy Recommendations view.
Policy Recommendations | |
---|---|
![]() | |
Synced | Status that
indicates whether or not your firewall received the SaaS policy rule recommendations. |
Name | Name assigned to the SaaS policy rule recommendations. |
Default | Recommendation type |
Description | Description assigned to the SaaS policy rule recommendations. |
Last Modified | Date that indicates the last time you changed
the rule. |
Enabled | Toggle to submit your SaaS policy rule recommendations. |
![]() | Keyword search that enables you to find SaaS policy rule recommendations that
you created. |
Download CSV ![]() | Export the results (dataset) to a CSV file. To
view this element you must be Super Admin role or Admin role, and
not Read Only Admin role. |