Tor is a protocol. Like BitTorrent, or IRC, etc. Tor is used to anonymize user traffic.
It is considered high risk for a few reasons:
1. it can be used to bypass firewall filters (traffic to blocked sites can be accessed through Tor)
2. It is used to access the "dark web"
3. It can put undue stress on your network and if users are somehow running relays or exit nodes on your network can put you on blacklists
Just like other protocols, you can access these "apps" through web browsers. So just like IRC, or WhatsApp, etc. I don't always need a dedicated app to access these things. A web browser works just the same. And FGT App Control will flag the access to these apps regardless of how they are accessed.
You can investigate by figuring out which devices are accessing the Tor network by looking at FAZ logs. You can also put an app control policy in place to block it if you feel it is required to do so.