How To Determine Risk Level Of An Application
Symptom
App-ID risk score is designed to help quickly assess the security posture of an application. One can use this information to allow or block access to applications with certain risk scores via Security Policies. This article goes into detail about the different attributes which contribute to an App-IDs risk score.
Environment
- All PAN-OS
- All PAN products that used Applications
Resolution
Types of App-IDs
In the context of this article there are four different types of App-IDs:
- Content App-ID - A Content App-ID is one which is released and available via the Application / Application and Threat Content updates.
- Cloud App-ID - A Cloud App-ID is one which is released and available via the App-ID Cloud Engine (ACE) which is available through a SaaS Security Inline subscription (or CASB-X Bundle)
- SaaS App-ID - A SaaS App-ID is one which covers a SaaS application.
- GenAI App-ID - A GenAI App-ID is one which covers a Generative AI application.
Each type of App-ID (Content, SaaS and GenAI) has different attributes which contribute to the risk score for a given App-ID. Cloud App-IDs don’t have separate attributes for risk score, but use the same attributes as SaaS.
Notes:
- An App-ID is either Content or Cloud, not both.
- An App-ID can be both SaaS and GenAI, either, or none.
- If an App-ID is both Content and SaaS, then SaaS attributes for risk are used.
- If an App-ID is Content but not SaaS, then Content attributes for risk are used.
One can determine the type of App-ID based on characteristics found within the UI.
- Content App-IDs - won’t have the App-ID Cloud Engine tag
- Cloud App-IDs - will have the App-ID Cloud Engine tag
- Saas App-IDs - will have the value of yes for the SaaS characteristic
- GenAI App-IDs - will have the Generative AI tag
Examples:
- snmpv3 is a Content App-ID (doesn’t have the App-ID Cloud Engine tag), as well as not SaaS (doesn’t have SaaS characteristic value of yes) or GenAI (doesn’t have Generative AI tag). Thus only Content App-ID attributes contribute to its risk score.
- adobe-firefly-base is a Content App-ID (doesn’t have the App-ID Cloud Engine tag), as well as SaaS (has SaaS characteristic value of yes) and GenAI (has Generative AI tag), so the attributes, SaaS and GenAI, contribute to its risk score.
-
scorestream is a Cloud App-ID (has the App-ID Cloud Engine tag) and not GenAI (doesn’t have Generative AI tag). Thus only SaaS attributes contribute to its risk score.
-
agentic-ai is a Cloud App-ID (has the App-ID Cloud Engine tag) and GenAI (has Generative AI tag). Thus SaaS and GenAI attributes contribute to its risk score.
Content App-ID Attributes
The various application characteristics (Evasive, Excessive Bandwidth Use, Used by Malware, Capable of File Transfer, Has Known Vulnerabilities, Tunnels Other Applications and Prone to Misuse), have different weights and are given a yes or no value depending on the application. If an application characteristic is yes, it adds its characteristic’s weight to the overall Content App-ID risk score. Adding up all the characteristic’s scores gives the Content App-ID risk score based on a range of the overall score.
| Characteristic | Description |
| Capable of File Transfer | Likely has more than 1,000,000 users. Has the capability to transfer a file from one system to another over a network. A streaming app that has no other mechanism to transfer files other than the video or audio streaming should not be flagged as able to transfer files. |
| Used by Malware | Malware has been known to use the app for propagation, attack, or data theft, or is distributed with malware. |
| Excessive Bandwidth Use | Consumes at least 1 Mbps on a regular basis through normal use. |
| Evasive | Uses a port or protocol for something other than its originally intended purpose with the hope that it will traverse a firewall. |
| Pervasive | Likely has more than 1,000,000 users. |
| Known Vulnerabilities | Has publicly reported vulnerability. For web-based apps, it should also be set to yes, as HTTP always has vulnerability. |
| Prone to Misuse | Often used for nefarious purposes or is easily setup to expose more than the user intended. |
| Tunnels Other Apps | Is able to transport other applications inside its protocol. |
| Characteristic | Factor |
| Evasive | 3 |
| Excessive Bandwidth Use | 1 |
| Used by Malware | 4 |
| Capable of File Transfer | 3 |
| Known Vulnerabilities | 3 |
| Tunnels Other Apps | 2 |
| Prone to Misuse | 2 |
| Pervasive | 1 |
| Total | 19 |
| Risk | Range |
| 1 | 0-3 |
| 2 | 4-6 |
| 3 | 7-9 |
| 4 | 10-13 |
| 5 | 14+ |
App-ID characteristics can be viewed in the UI in Objects>Application on Panorama or PAN-OS and Objects>Application>Applications on SCM:
SaaS App-ID Attributes
SaaS App-ID attributes that contribute to risk score and the methods used to determine their values are detailed here.
In summary, SaaS risk score is calculated from Compliance, Identity Access Management and Security and Privacy attribute values.
- Compliance attributes identify whether an app adheres to various regulatory requirements and standards.
- Identity Access Management attributes identify an app’s authentication and access control capabilities.
- Security and Privacy attributes identify product features for protecting data.
Depending on the attribute we use several different methods for determining the value, for example: documentation/public links, investigation on the app domain and analysis of app traffic.
Each attribute has an assigned weight, affecting the risk score calculation. Attributes considered to have a greater security impact are assigned greater weights and thus more impact to the risk score. A risk score is given to each attribute based on the attribute value. The overall SaaS App-ID risk score is a weighted average of the individual attribute risk scores
GenAI App-ID Attributes
GenAI App-ID attributes that contribute to risk score are as follows and their weights detailed here:
- Input Data - This attribute accounts for what types of input the Gen AI application takes. Examples can include, but not limited to - text, files, images and videos. The number and what input types a Gen AI app can take can raise the risk of leaking data to the application. Weight - 10%
- Output Data - This attribute accounts for what types of input the Gen AI application outputs given an input. Examples can include, but not limited to - text, files, images and videos. The number and what output types a Gen AI can give can raise the risk of malicious responses. Weight - 15%
- Consumption Mode - This attribute describes how users interact with the Gen AI application. Examples can include, but not limited to - webpages, APIs, mobile apps and plugins. The number and what consumption modes a Gen AI application has can raise the risk of users leaking data. Weight - 10%
- Data Used In Model Training - This attribute defines whether an AI application leverages user’s data for training their models. If true, a user’s data has a potential of leaking to all users. Weight - 45%
- Popularity - This attribute describes how popular a Gen AI application is. Either low or high popularity of a Gen AI application results in higher risk. The reasoning is low popularity apps may not have compliance, data privacy, etc. and high popularity apps have large impact if/when a data leak occurs. Weight - 20%
GenAI App-ID attributes can be found on SCM via AI Access by selecting View all attributes when viewing an App-ID.
Weighted Average
If an App-ID has multiple attributes for risk score (Content, SaaS, GenAI), each individual risk score gets calculated together, via a weighted average, for the overall risk score. For example, adobe-firefly-base risk score is a weighted average of its SaaS and GenAI risk scores. Here is the breakdown for weighted average between the Content, SaaS and GenAI risk scores.
If an App-ID only has one attribute for risk score (Content only or SaaS only) then that corresponding risk score is the App-ID’s overall risk score.
SaaS +GenAI
| Risk Score | Weight |
| Saas Risk Score | 30% |
| GenAI Risk Score | 70% |
Note: Currently there are no App-IDs whose risk score is based on Content and GenAI attributes, in other words all GenAI App-IDs are also SaaS and thus both SaaS and GenAI attributes contribute to their overall risk score. If and when such an App-ID exists, this article will be updated to depict the Content + GenAI weighted average to calculate overall risk score.
Additional Information
This article covers the criteria of Palo Alto Networks to categorize threat severity.