Support

Usage guide: Shadow IT and data loss visibility

This page outlines various ways to use the pack, including use case examples.

Administrators can refer to the Configuration guide: Shadow IT and data loss visibility to set up and customize the installed content.

This library pack helps IT and security teams:

  • Detect and monitor non-compliant desktop and web applications across various categories, including cloud storage, messaging, VPN, peer-to-peer, AI services, and productivity.

  • Identify suspicious or unauthorized usage patterns that may pose compliance or data leakage risks.

  • Track activity on physical media, file transfer tools, and remote access applications.

  • Communicate with users accessing non-compliant apps using the built-in 'Non-compliant Application Access Warning' campaign.

Library pack uses

Jump to Use cases on this page to see relevant scenario applications.

Use the library pack content for the following purposes.

Gaining visibility into non-compliant application usage

The Shadow IT and data loss visibility live dashboard provides a centralized view of non-compliant tools across categories:

  • Cloud storage, Messaging, VPN & Peer-to-peer, AI services, Productivity apps, and File transfer tabs show pre-defined non-compliant applications and services.

  • Each tab displays application execution, focus time, web connections, and outbound traffic at the device level.

  • The Connection destinations tab highlights risky HTTP requests, webhooks, and remote access connections (e.g., TeamViewer, RDP).

  • The Physical media tab displays when non-OS volumes (e.g., USB drives) are connected and flags risk-prone behaviors, such as executing software from external drives.

Use this dashboard to monitor usage trends, identify devices running risky software, and assess your organization's exposure to shadow IT.

Discovering unknown or unapproved applications

Each dashboard tab includes a Shadow discovery table to surface less-visible non-compliant applications not already flagged in the predefined list.

These widgets are configured to filter applications by category (e.g., Collaboration, Connectivity), and can be refined further using filters like:

  • Product subcategory

  • Destination domain

  • Device name

  • Device location

Sort the table by the number of devices to uncover rare but potentially high-risk tools. This helps detect gaps in compliance, outdated configurations, or user-installed software outside of IT governance.

Communicating with users through soft enforcement

Use the Non-compliant application access warning campaign to inform users of their use of non-compliant apps and suggest compliant alternatives.

To run this campaign effectively:

  1. On any dashboard tab, use widgets to Drill down to devices where the non-compliant application is used.

  1. From there, use Drill down to users to identify the individuals logged into those devices.

  1. Launch the Non-compliant application access warning campaign, targeting these users with a message about their application usage.

This soft enforcement approach enables behavioral change without hard restrictions, guiding users toward approved alternatives.

Use cases

In addition to the relevant use cases covered below, you may uncover other troubleshooting scenarios specific to your environment.

Monitoring usage of non-compliant applications

Use the live dashboard to view detailed metrics on how pre-defined non-compliant tools are used in your environment.

  1. Open the Cloud storage, Messaging, Productivity apps, or other relevant tabs.

  2. Review the Applications and Web services sections to monitor:

    • Number of devices

    • Focus time

    • Outbound traffic

    • Connection count

  3. Use this visibility to assess risk levels and decide whether further investigation is needed.

Identifying and assessing lesser-known applications

Use Shadow discovery tables to uncover uncommon tools used by a small number of users.

  1. Navigate to the Shadow discovery table at the bottom of any tab.

  2. Use filters to narrow the data set by domain, subcategory, or location.

  3. Sort the table by number of devices to highlight the least common applications.

  4. Evaluate whether these tools present a security risk or indicate user needs unmet by IT-approved software.

Engaging with users accessing risky applications

Run a Non-compliant application access warning campaign to educate users and offer safer alternatives.

  1. On any tab, locate the widget that lists devices running the risky application.

  2. Click Drill down to devices, then Drill down to users.

  3. Launch the Non-compliant application access warning campaign, targeting those users.

This two-step approach ensures your campaign reaches the right users, based on device-level application usage.

Detecting data exfiltration behaviors

Use the File transfer, Connection destinations, and Physical media tabs to identify signs of data exfiltration.

  1. Look for large outbound traffic from tools like WinSCP, FileZilla, or curl.

  2. Monitor HTTP requests, webhooks, or unusual country connections.

  3. Check for application executions from external drives.

These tabs give you insights into suspicious behavior and help prioritize investigations.

Communicate with users

To facilitate effective communication with users and implement the "soft enforcement" approach, this pack includes a campaign called "Non-compliant application access warning".

Non-compliant application access warning: Informs users about the use of non-compliant applications and offers compliant alternatives

RELATED TOPICS

Last updated

Was this helpful?