Lab 1 โ Visibility into Shadow IT and SaaS Usage
Switch to Enterprise Tenant (Tenant 1)
Lab Setup was completed in the Lab Tenant. Labs 1โ4 use the Enterprise Tenant (Tenant 1). Log out of the Lab Tenant and log in at https://sdc.zslogin.net/ using your Enterprise Tenant Admin credentials before proceeding.
Establish foundational visibility into SaaS usage, application instances, and sensitive data activity across the organization.
Task 1: Discover Shadow IT using the SaaS Security Reportโ
Identify unsanctioned cloud applications and understand their potential risk to the organization.
Analytics โ Experience Center
The Experience Center aggregates data from multiple security services to provide a unified visibility platform.
Locate the Switch to Existing Reports toggle in the lower-left corner and ensure it is enabled.
Analytics โ SaaS Security Report
Explain that this report is the primary tool used to discover shadow IT activity across the organization. Everything visible here was discovered passively โ no agents, no network taps.
Observe the following metrics in the Overview section, then review Top Application Categories and Applications by Risk Index:
| Metric | What it tells you |
|---|---|
| Total Applications | Number of unique SaaS applications detected |
| Total Bytes | Total volume of data transferred |
| Upload Bytes | Data leaving the organization |
| Download Bytes | Data entering the organization |
Risk Index scoring helps prioritize investigation and remediation efforts based on potential security impact. Focus on high-risk unsanctioned apps with upload capability first.
Locate an application marked as Unsanctioned โ for example, Dropbox โ and click the application name to view detailed risk information.
Review the application risk details:
- Application Status โ Sanctioned or unsanctioned
- Risk Index โ Relative risk level
- Activities Supported โ Upload, Download, Share, Edit, Delete
Emphasize that applications supporting file upload and sharing capabilities present higher data exfiltration risk. An unsanctioned file-sharing app with upload capability is a potential exfiltration vector for files like Dataparity's payroll report.
- How many unsanctioned applications exist in the environment?
- Which application categories present the highest risk?
- What types of data could be exposed through unsanctioned file-sharing applications?
- Should all unsanctioned applications be blocked, or should risk-based prioritization be applied?
You cannot protect what you cannot see. Shadow IT discovery provides the visibility required to identify potential data exfiltration vectors before applying security controls.
Task 2: Discover Application Instancesโ
Identify individual SaaS application instances (domains) and understand which users are accessing them.
Analytics โ Instance Discovery Report
Select the desired time range (for example, Last Quarter) and choose an application such as Gmail to review detected instances.
Review the list of detected domains associated with the selected application. Click a domain such as gmail.com to investigate usage details. Then click the Analyze More button to drill deeper into the domain activity.
Explain that each domain represents a distinct application instance. A user accessing gmail.com via a personal account vs. a corporate workspace.google.com account represents two different risk profiles โ this report surfaces both.
Observe the list of users interacting with the selected domain and review their activity:
- Upload Bytes
- Download Bytes
- Number of Transactions
- Last Accessed
Instance-level visibility goes beyond just knowing which apps are in use โ it reveals whether employees are using corporate-managed instances or personal accounts, which have entirely different risk and compliance implications.
Task 3: Automatic Content Classification Using ML-Based Detectionโ
Observe how sensitive content is automatically classified using machine learning, even when no policy is configured.
Analytics โ Data Discovery Report
Ensure Switch to Existing Reports is enabled. Review the dashboard showing detected sensitive files and ML categories.
Review the dashboard widgets โ Top 10 Users, Timeline for Files in Top ML Categories, Top 10 Applications โ and click Analyze More to investigate further.
Highlight how activity trends reveal where sensitive data is being created or uploaded. The timeline view is particularly powerful โ a spike in ML-classified file activity often correlates with a specific user event or business process.
Select a Content Type such as Immigration and a Subcategory such as Asylum and Refugee. Review the associated Application and User.
- Which ML content categories appear most frequently in your environment?
- Does seeing user-level attribution change how you would approach a data exposure investigation?
- How does automatic classification without a predefined policy change the traditional DLP deployment model?
Full data lineage from content to user. This drill-down demonstrates the complete chain โ content classification โ application โ user โ without any policy configuration. It's the foundation that makes targeted enforcement in Labs 6, 7, and 8 possible.
Lab 1 summary: "We can now see every app (Task 1), every instance including personal accounts (Task 2), and automatically classified sensitive content without writing a single policy (Task 3). This is the visibility foundation everything else builds on."
Transition to Lab 2: "Next we look at the security posture of the SaaS apps themselves โ not just what employees are using, but whether those apps are configured securely."
Lab Summaryโ
In this lab you established foundational visibility into SaaS usage and sensitive data activity:
| Task | What you did |
|---|---|
| Task 1 | Discovered shadow IT applications and reviewed risk profiles |
| Task 2 | Identified application instances and user-level activity |
| Task 3 | Observed automatic ML-based content classification |
These capabilities provide the visibility required before implementing data protection and enforcement controls in subsequent labs.