# Usage guide: Shadow IT and data loss visibility

{% hint style="info" %}
This page outlines various ways to use the pack, including use case examples.

Administrators can refer to the [Configuration guide: Shadow IT and data loss visibility](/platform/library-packs/security-and-compliance/shadow-it/configuration-guide-shadow-it.md) to set up and customize the installed content.
{% endhint %}

This library pack helps IT and security teams:

* Detect and monitor non-compliant desktop and web applications across various categories, including cloud storage, messaging, VPN, peer-to-peer, AI services, and productivity.
* Identify suspicious or unauthorized usage patterns that may pose compliance or data leakage risks.
* Track activity on physical media, file transfer tools, and remote access applications.
* Communicate with users accessing non-compliant apps using the built-in 'Non-compliant Application Access Warning' campaign.

## Library pack uses

{% hint style="info" %}
Jump to [Use cases](#use-cases) on this page to see relevant scenario applications.
{% endhint %}

Use the library pack content for the following purposes.

### Gaining visibility into non-compliant application usage

The **Shadow IT and data loss visibility** live dashboard provides a centralized view of non-compliant tools across categories:

* Cloud storage, Messaging, VPN & Peer-to-peer, AI services, Productivity apps, and File transfer tabs show pre-defined non-compliant applications and services.
* Each tab displays application execution, focus time, web connections, and outbound traffic at the device level.
* The Connection destinations tab highlights risky HTTP requests, webhooks, and remote access connections (e.g., TeamViewer, RDP).
* The Physical media tab displays when non-OS volumes (e.g., USB drives) are connected and flags risk-prone behaviors, such as executing software from external drives.

Use this dashboard to monitor usage trends, identify devices running risky software, and assess your organization's exposure to shadow IT.

<figure><img src="/files/ADzO1ht8rtpdIeRktNNI" alt=""><figcaption></figcaption></figure>

### Discovering unknown or unapproved applications

Each dashboard tab includes a **Shadow discovery** table to surface less-visible non-compliant applications not already flagged in the predefined list.

These widgets are configured to filter applications by category (e.g., **Collaboration**, **Connectivity**), and can be refined further using filters like:

* **Product subcategory**
* **Destination domain**
* **Device name**
* **Device location**

Sort the table by the number of devices to uncover rare but potentially high-risk tools. This helps detect gaps in compliance, outdated configurations, or user-installed software outside of IT governance.

### Communicating with users through soft enforcement

Use the **Non-compliant application access warning** campaign to inform users of their use of non-compliant apps and suggest compliant alternatives.

To run this campaign effectively:

1. On any dashboard tab, use widgets to **Drill down to devices** where the non-compliant application is used.

<figure><img src="/files/ShjvwU2736YPwrvra9c0" alt="" width="375"><figcaption></figcaption></figure>

2. From there, use **Drill down to users** to identify the individuals logged into those devices.

<figure><img src="/files/Za32zDFqAWiaAX3RiJhs" alt="" width="375"><figcaption></figcaption></figure>

3. Launch the **Non-compliant application access warning** campaign, targeting these users with a message about their application usage.

<figure><img src="/files/J04JvEX6KbiTpdF4NhJh" alt="" width="375"><figcaption></figcaption></figure>

This soft enforcement approach enables behavioral change without hard restrictions, guiding users toward approved alternatives.

<figure><img src="/files/A9OTlk7Kt1RjWgVKi8eV" alt=""><figcaption></figcaption></figure>

## Use cases

In addition to the relevant use cases covered below, you may uncover other troubleshooting scenarios specific to your environment.

### Monitoring usage of non-compliant applications

Use the live dashboard to view detailed metrics on how pre-defined non-compliant tools are used in your environment.

1. Open the **Cloud storage**, **Messaging**, **Productivity apps**, or other relevant tabs.
2. Review the **Applications** and **Web services** sections to monitor:
   * Number of devices
   * Focus time
   * Outbound traffic
   * Connection count
3. Use this visibility to assess risk levels and decide whether further investigation is needed.

<figure><img src="/files/dBeAvorybZKcgO153UfO" alt=""><figcaption></figcaption></figure>

### Identifying and assessing lesser-known applications

Use **Shadow discovery** tables to uncover uncommon tools used by a small number of users.

1. Navigate to the **Shadow discovery** table at the bottom of any tab.
2. Use filters to narrow the data set by domain, subcategory, or location.
3. Sort the table by **number of devices** to highlight the least common applications.
4. Evaluate whether these tools present a security risk or indicate user needs unmet by IT-approved software.

<figure><img src="/files/lZSJ0sjDAymlGpTSVISY" alt=""><figcaption></figcaption></figure>

### Engaging with users accessing risky applications

Run a **Non-compliant application access warning** campaign to educate users and offer safer alternatives.

1. On any tab, locate the widget that lists devices running the risky application.
2. Click **Drill down to devices**, then **Drill down to users**.
3. Launch the **Non-compliant application access warning** campaign, targeting those users.

This two-step approach ensures your campaign reaches the right users, based on device-level application usage.

### Detecting data exfiltration behaviors

Use the **File transfer**, **Connection destinations**, and **Physical media** tabs to identify signs of data exfiltration.

1. Look for large outbound traffic from tools like **WinSCP**, **FileZilla**, or **curl**.
2. Monitor **HTTP requests**, **webhooks**, or unusual country connections.
3. Check for application executions from **external drives**.

These tabs give you insights into suspicious behavior and help prioritize investigations.

#### Communicate with users

To facilitate effective communication with users and implement the "soft enforcement" approach, this pack includes a campaign called "Non-compliant application access warning".

**Non-compliant application access warning:** Informs users about the use of non-compliant applications and offers compliant alternatives

***

RELATED TOPICS

* [Live dashboard](https://nexthink.gitbook.io/opd/user-guide/live-dashboards)
* [Manage campaigns](https://docs.nexthink.com/platform/user-guide/campaigns/managing-campaigns)
* [Overview: Shadow IT and data loss visibility](/platform/library-packs/security-and-compliance/shadow-it.md)
* [Configuration guide: Shadow IT and data loss visibility](/platform/library-packs/security-and-compliance/shadow-it/configuration-guide-shadow-it.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/library-packs/security-and-compliance/shadow-it/usage-guide-shadow-it.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.