Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Shadow IT Discovery

The Shadow IT Discovery page provides visibility into the SaaS applications and private network origins your end users are visiting. This information enables you to create identity and device-driven Zero Trust policies to secure your users and data.

Shadow IT Discovery is located in Zero Trust under Analytics > Access.

​​ Enable Shadow IT Discovery

To allow Zero Trust to discover shadow IT in your traffic:

  • Enable the Gateway proxy for HTTP and network traffic.
  • Enable TLS decryption to inspect HTTPS traffic.
  • Ensure any network traffic you want to inspect is not routed around Gateway by a Split Tunnel.

​​ SaaS applications

To see an overview of SaaS applications your users have visited, go to Analytics > Access > SaaS. This tab displays the following information:

  • Unique application users: Chart showing the number of different users who accessed SaaS applications over time.
  • Top approved applications: SaaS applications marked as Approved which had the greatest number of unique visitors.
  • Top unapproved applications: SaaS applications marked as Unapproved which had the greatest number of unique visitors.
  • Zero Trust: Metrics for your Access applications including the total number of accessed applications, failed logins, and connected users over the selected time period.
  • Logins: Chart showing the number of logins for an individual Access application over time.
  • Top applications accessed: Access applications with the greatest number of logins.
  • Top connected users: Users who logged in to the greatest number of Access applications.

​​ Review discovered applications

You can view a list of all discovered SaaS applications and mark them as approved or unapproved. To review an application:

  1. Go to Analytics > Access > SaaS.
  2. In the Unique application users chart, select Review all. The table displays the following fields:
FieldDescription
ApplicationSaaS application’s name and logo.
Application typeApplication type assigned by Cloudflare Zero Trust.
StatusApplication’s approval status.
SecuredWhether the application is currently secured behind Cloudflare Access.
UsersNumber of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page.
  1. Select a specific application to view details.
  2. Assign a new approval status according to your organization’s preferences.

The application’s status will now be updated across charts and visualizations on the SaaS tab. You can block unapproved applications by creating a Gateway policy.

​​ Private network origins

To see an overview of the private network origins your users have visited, go to Analytics > Access > Private Network. This tab displays the following information:

  • Unique origin users: Chart showing the number of different users accessing your private network over time.
  • Top approved origins: Origins marked as Approved which had the greatest number of unique visitors.
  • Top unapproved origins: Origins marked as Unapproved which had the greatest number of unique visitors.
  • Zero Trust: Metrics for your Access applications including the total number of accessed applications, failed logins, and connected users over the selected time period.
  • Logins: Chart showing the number of logins for an individual Access application over time.
  • Top applications accessed: Access applications with the greatest number of logins.
  • Top connected users: Users who logged in to the greatest number of Access applications.

​​ Review discovered origins

You can view a list of all discovered origins and mark them as approved or unapproved. To review a private network origin:

  1. Go to Analytics > Access > Private Network.
  2. In the Unique origin users chart, select Review all. The discovered origins that appear on this page are defined by unique combinations of IP address, port, and protocol.
FieldDescription
IP addressOrigin’s internal IP address in your private network.
PortPort used to connect to the origin.
ProtocolProtocol used to connect to the origin.
HostnameHostname used to access the origin.
StatusOrigin’s approval status
UsersNumber of users who connected to the origin over the period of time specified on the Shadow IT Discovery overview page.
  1. Select a specific origin to view details.
  2. Assign a new approval status according to your organization’s preferences.

The origin’s status will now be updated across charts and visualizations on the Private Network tab. You can block unapproved origins by creating a Gateway policy.

​​ Approval status

Within Shadow IT Discovery, applications are labeled according to their status. The default status for a discovered application is Unreviewed. Your organization can determine the status of each application and change their status at any time.

StatusDescription
ApprovedApplications that have been marked as sanctioned by your organization.
UnapprovedApplications that have been marked as unsanctioned by your organization.
In reviewApplications in the process of being reviewed by your organization.
UnreviewedUnknown applications that are neither sanctioned nor being reviewed by your organization at this time.