[CF1] shadow IT update (#24387)

Co-authored-by: Max Phillips <[email protected]>

Author: deadlypants1973

src/content/docs/cloudflare-one/applications/app-library.mdx

@@ -11,6 +11,8 @@ The Application Library allows users to manage their SaaS applications in Cloudf
 
 To access the App Library in [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **App Library**. Each application card will list the number of hostnames associated with the application, the supported Zero Trust product usage, and the [app type](/cloudflare-one/policies/gateway/application-app-types/#app-types).
 
+The App Library groups [Do Not Inspect applications](/cloudflare-one/policies/gateway/application-app-types/#do-not-inspect-applications) within the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Traffic that does not match a known application will not be included in the App Library.
+
 ## View application details
 
 Select an application card to view details about the application.
@@ -20,7 +22,7 @@ Select an application card to view details about the application.
 The **Overview** tab shows details about an application, including:
 
 - Name
-- Shadow IT [review status](/cloudflare-one/insights/analytics/shadow-it-discovery/#approval-status)
+- Shadow IT [review status](#review-applications)
 - Number of hostnames
 - [App type](/cloudflare-one/policies/gateway/application-app-types/#app-types)
 - Supported Zero Trust applications
@@ -42,14 +44,6 @@ The Shadow IT Discovery dashboard will provide more details for discovered appli
 
 ## Review applications
 
-To organize applications into their approval status for your organization, you can mark them as **Unreviewed** (default), **In review**, **Approved**, and **Unapproved**. The App Library synchronizes application review statuses with [approval statuses](/cloudflare-one/insights/analytics/shadow-it-discovery/#approval-status) from Shadow IT Discovery.
-
-<Render file="approval-status-block" product="cloudflare-one" />
-
-To set the status of an application:
-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **App Library**.
-2. Locate the card for the application.
-3. In the three-dot menu, select the option to mark your desired status.
+The App Library synchronizes application review statuses with approval statuses from the [Shadow IT Discovery SaaS analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) dashboard.
 
-Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization.
+<Render file="app-library-review-apps" />

src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx

@@ -1,100 +1,61 @@
 ---
 pcx_content_type: reference
-title: Shadow IT Discovery
+title: Shadow IT SaaS analytics
 sidebar:
   order: 5
 ---
 
 import { Render } from "~/components";
 
-Shadow IT Discovery provides visibility into the SaaS applications and private network origins your users are visiting. This information allows you to create identity and device-driven Zero Trust policies to secure your users and data.
+Shadow IT SaaS analytics provides visibility into the SaaS applications your users are visiting. This information allows you to create identity and device-driven Zero Trust policies to secure your users and data.
 
-To view Shadow IT Discovery in [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics**, then select **Shadow IT Discovery**.
+To access Shadow IT SaaS analytics, in [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics** > **Dashboards**, then select **Shadow IT: SaaS analytics**.
 
-## Turn on Shadow IT Discovery
+## Prerequisites
 
-To allow Zero Trust to discover shadow IT in your traffic:
+To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/).
 
-- Turn on the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/) for HTTP and network traffic.
-- Turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) to inspect HTTPS traffic.
-- Ensure any network traffic you want to inspect is not routed around Gateway by a [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/).
+## Use Shadow IT SaaS analytics
 
-## SaaS applications
+### 1. Review applications
 
-For an overview of SaaS applications your users have visited, go to **Analytics** > **Access** > **SaaS**. This tab displays the following information:
+The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](/cloudflare-one/applications/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard.
 
-- **Unique application users**: Chart showing the number of different users who accessed SaaS applications over time.
-- **Top approved applications**: SaaS applications marked as [**Approved**](#approval-status) which had the greatest number of unique visitors.
-- **Top unapproved applications**: SaaS applications marked as [**Unapproved**](#approval-status) which had the greatest number of unique visitors.
-- **Zero Trust**: Metrics for your Access applications including the total number of accessed applications, failed logins, and connected users over the selected time period.
-- **Logins**: Chart showing the number of logins for an individual Access application over time.
-- **Top applications accessed**: Access applications with the greatest number of logins.
-- **Top connected users**: Users who logged in to the greatest number of Access applications.
+<Render file="app-library-review-apps" />
 
-### Review discovered applications
+### 2. Monitor usage
 
-You can view a list of all discovered SaaS applications and mark them as approved or unapproved. To review an application:
+Review the Shadow IT SaaS analytics dashboard for application usage. Filter the view based on:
 
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics**, then select **Shadow IT Discovery**
-2. Go to **SaaS**.
-3. In the **Unique application users** chart, select **Review all**. The table displays the following fields:
+    | Field            | Description                                                                                                                  |
+    | ---------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+    | Application      | SaaS application's name and logo.                                                                                            |
+    | Application type | [Application type](/cloudflare-one/policies/gateway/application-app-types/#app-types) assigned by Cloudflare Zero Trust.     |
+    | Status           | Application's approval status.                                                                           |
+    | Secured          | Whether the application is currently secured behind Cloudflare Access.                                                       |
+    | Users            | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. |
 
-| Field            | Description                                                                                                                  |
-| ---------------- | ---------------------------------------------------------------------------------------------------------------------------- |
-| Application      | SaaS application's name and logo.                                                                                            |
-| Application type | [Application type](/cloudflare-one/policies/gateway/application-app-types/#app-types) assigned by Cloudflare Zero Trust.     |
-| Status           | Application's [approval status](#approval-status).                                                                           |
-| Secured          | Whether the application is currently secured behind Cloudflare Access.                                                       |
-| Users            | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. |
+To manage application statuses in bulk, select **Set Application Statuses** to review applications your users commonly visit and update their approval statuses.
 
-3. Select a specific application to view details.
-4. Assign a new [approval status](#approval-status) according to your organization's preferences.
+### 3. Create policies
 
-The application's status will now be updated across charts and visualizations on the **SaaS** tab. You can block unapproved applications by creating a [Gateway policy](/cloudflare-one/policies/gateway/).
+After marking applications, you can create [HTTP policies](/cloudflare-one/policies/gateway/http-policies/) based on application review status. For example, you can create policies that:
 
-## Private network origins
+- Launch all **Unreviewed** and **In review** applications in an [isolated browser](/cloudflare-one/policies/gateway/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications).
+- [Block access](/cloudflare-one/policies/gateway/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications.
+- Limit file upload capabilities for specific application statuses.
 
-To see an overview of the private network origins your users have visited, go to **Analytics** > **Access** > **Private Network**. This tab displays the following information:
+To create an HTTP status policy directly from Shadow IT Discovery:
 
-- **Unique origin users**: Chart showing the number of different users accessing your private network over time.
-- **Top approved origins**: Origins marked as [**Approved**](#approval-status) which had the greatest number of unique visitors.
-- **Top unapproved origins**: Origins marked as [**Unapproved**](#approval-status) which had the greatest number of unique visitors.
-- **Zero Trust**: Metrics for your Access applications including the total number of accessed applications, failed logins, and connected users over the selected time period.
-- **Logins**: Chart showing the number of logins for an individual Access application over time.
-- **Top applications accessed**: Access applications with the greatest number of logins.
-- **Top connected users**: Users who logged in to the greatest number of Access applications.
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics** > **Dashboards**, then select **Shadow IT: SaaS analytics**.
+2. Select **Set application statuses**.
+3. Select **Manage HTTP status policies**, then choose an application status and select **Create policy**.
 
-### Review discovered origins
+## Available insights
 
-You can view a list of all discovered origins and mark them as approved or unapproved. To review a private network origin:
+The Shadow IT SaaS analytics dashboard includes several insights to help you monitor and manage SaaS application usage.
 
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Analytics**, then select **Shadow IT Discovery**
-2. Go to **Private Network**.
-3. In the **Unique origin users** chart, select **Review all**. The discovered origins that appear on this page are defined by unique combinations of IP address, port, and protocol.
-
-| Field      | Description                                                                                                             |
-| ---------- | ----------------------------------------------------------------------------------------------------------------------- |
-| IP address | Origin's internal IP address in your private network.                                                                   |
-| Port       | Port used to connect to the origin.                                                                                     |
-| Protocol   | Protocol used to connect to the origin.                                                                                 |
-| Hostname   | Hostname used to access the origin.                                                                                     |
-| Status     | Origin's [approval status](#approval-status)                                                                            |
-| Users      | Number of users who connected to the origin over the period of time specified on the Shadow IT Discovery overview page. |
-
-3. Select a specific origin to view details.
-4. Assign a new [approval status](#approval-status) according to your organization's preferences.
-
-The origin's status will now be updated across charts and visualizations on the **Private Network** tab. You can block unapproved origins by creating a [Gateway policy](/cloudflare-one/policies/gateway/).
-
-## Approval status
-
-Within Shadow IT Discovery, applications are labeled according to their status. The default status for a discovered application is **Unreviewed**. Your organization can determine the status of each application and change their status at any time.
-
-<Render file="approval-status-block" product="cloudflare-one" />
-
-| Status     | Description                                                                                            |
-| ---------- | ------------------------------------------------------------------------------------------------------ |
-| Approved   | Applications that have been marked as sanctioned by your organization.                                 |
-| Unapproved | Applications that have been marked as unsanctioned by your organization.                               |
-| In review  | Applications in the process of being reviewed by your organization.                                    |
-| Unreviewed | Unknown applications that are neither sanctioned nor being reviewed by your organization at this time. |
+- **Number of applications by status**: A breakdown of how many applications have been categorized into each [approval status](#1-review-applications). The list of applications is available in the [App Library](/cloudflare-one/applications/app-library/).
+- **Data transferred per application status**: A time-series graph showing the amount of data (in gigabytes) transferred to an application in the given status.
+- **User count per application status**: A time-series graph showing the number of users who have interacted with at least one application in a given status. For example, a user can use an **Approved** application shortly followed by an **In review** application, contributing to counts for both of those statuses.
+- **Top-N metrics**: A collection of metrics providing insights into top applications, users, devices, and countries.

src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx

@@ -13,6 +13,8 @@ Gateway allows you to create DNS, Network, and HTTP policies based on applicatio
 
 When you choose the _Application_ selector in a Gateway policy builder, the **Value** field will include all supported applications and their respective app types. Alternatively, you can use the [Gateway API](/api/resources/zero_trust/subresources/gateway/subresources/app_types/methods/list/) to fetch a list of applications, app types, and ID numbers.
 
+To manage a consolidated list of applications across Zero Trust, you can use the [Application Library](/cloudflare-one/applications/app-library/).
+
 ## App types
 
 Gateway sorts applications into the following app type groups:
@@ -57,8 +59,9 @@ To ensure Gateway evaluates traffic with your desired precedence, order your mos
 
 Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected.
 
-:::note[Install Cloudflare certificate manually to allow TLS decryption]
+When managing applications with the [Application Library](/cloudflare-one/applications/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**.
 
+:::note[Install Cloudflare certificate manually to allow TLS decryption]
 Instead of creating a Do Not Inspect policy for an application, you may be able to configure the application to [trust a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). Doing so will allow the application to function without losing visibility into your traffic.
 :::
 

src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx

@@ -291,6 +291,78 @@ When accessing origin servers with certificates not signed by a public certifica
 
 For more information on supported file types, refer to [Download and Upload File Types](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types).
 
+## Isolate or block shadow IT applications
+
+Isolate shadow IT applications discovered by the [Application Library](/cloudflare-one/applications/app-library/) that have not been reviewed yet or are currently under review, and block applications that are not approved by your organization.
+
+For more information on reviewing shadow IT applications, refer to [Review applications](/cloudflare-one/applications/app-library/#review-applications).
+
+### 1. Isolate unreviewed or in review applications
+
+Isolate applications if their approval status is _Unreviewed_ or _In review_.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+| Selector           | Operator | Value        | Logic | Action  |
+| ------------------ | -------- | ------------ | ----- | ------- |
+| Application Status | is       | _Unreviewed_ | Or    | Isolate |
+| Application Status | is       | _In review_  |       |         |
+
+</TabItem>
+
+<TabItem label="API">
+
+<APIRequest
+	path="/accounts/{account_id}/gateway/rules"
+	method="POST"
+	json={{
+		name: "Isolate unreviewed or in review application status",
+		description:
+			"Isolate Shadow IT applications that have not been reviewed or are in review in the Application Library",
+		enabled: true,
+		action: "isolate",
+		filters: ["http"],
+		traffic:
+			'any(app.statuses[*] == "unreviewed") or any(app.statuses[*] == "in review")',
+		identity: "",
+		device_posture: "",
+	}}
+/>
+
+</TabItem> </Tabs>
+
+### 2. Block unapproved applications
+
+Block applications if their approval status is _Unapproved_.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+| Selector           | Operator | Value        | Action |
+| ------------------ | -------- | ------------ | ------ |
+| Application Status | is       | _Unapproved_ | Block  |
+
+</TabItem>
+
+<TabItem label="API">
+
+<APIRequest
+	path="/accounts/{account_id}/gateway/rules"
+	method="POST"
+	json={{
+		name: "Block unapproved application status",
+		description:
+			"Block Shadow IT applications that have been marked as unapproved in the Application Library",
+		enabled: true,
+		action: "block",
+		filters: ["http"],
+		traffic: 'any(app.statuses[*] == "unapproved")',
+		identity: "",
+		device_posture: "",
+	}}
+/>
+
+</TabItem> </Tabs>
+
 ## Block Google services
 
 To enable Gateway inspection for Google Drive traffic, you must [add a Cloudflare certificate to Google Drive](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#google-drive).