According to our cloud app security we have a number of apps graded 3- 4 level security level, so since i have no user info(as the logs come from a checkpoint firewall and are not that integrated) I deciided to look at the firewall.
Cannot identify the app concerned at all, how does the cloud app security CASB read these apps ... should i just assume its correct and ask the user if he/she has used this app but then find they no nothing about them?
Cloud App Security uses your traffic logs to dynamically discover and analyze the cloud apps that your organization is using. The discovery of apps in achieved by comparing the destination URL/IP to a set of apps' signatures. Specifically for Checkpoint Firewall, the identification is based on the destination IP (as Checkpoint does not log the destination URL).
The signatures database is continuously updated to accurately capture the latest URLs and IP on known Cloud Apps, and to cover new apps that were published.
We often see cases where apps are discovered in Cloud App Security but not in customers' FW/Proxy due to outdated signatures held by the FW/Proxy. The accurate and updated signature database, also known as the Cloud App Security Application Catalog, is one on the key benefits of using the product for Shadow IT discovery.