detecting-shadow-it-cloud-usage
Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.
Best use case
detecting-shadow-it-cloud-usage is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.
Teams using detecting-shadow-it-cloud-usage should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-shadow-it-cloud-usage/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-shadow-it-cloud-usage Compares
| Feature / Agent | detecting-shadow-it-cloud-usage | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Detecting Shadow IT Cloud Usage ## Overview Shadow IT refers to unauthorized SaaS applications and cloud services used without IT approval. This skill analyzes proxy logs, DNS query logs, and firewall/netflow data to identify unauthorized cloud service usage, classify discovered domains against known SaaS categories, measure data transfer volumes, and flag high-risk services based on security posture and compliance requirements. ## When to Use - When investigating security incidents that require detecting shadow it cloud usage - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `pandas`, `tldextract` - Proxy logs (Squid, Zscaler, or Palo Alto format) or DNS query logs - SaaS application catalog/blocklist for classification - Network firewall logs with FQDN resolution (optional) ## Steps 1. Parse proxy access logs and extract destination domains with traffic volumes 2. Parse DNS query logs to identify resolved cloud service domains 3. Aggregate traffic by domain using pandas — total bytes, request counts, unique users 4. Classify domains against known SaaS categories (storage, email, dev tools, AI) 5. Flag unauthorized services not on the approved application list 6. Calculate risk scores based on data volume, user count, and service category 7. Generate shadow IT discovery report with remediation recommendations ## Expected Output - JSON report listing discovered cloud services with traffic volumes, user counts, risk scores, and approval status - Top unauthorized services ranked by data exfiltration risk
Related Skills
shadow-goblin
shadow-goblin
securing-kubernetes-on-cloud
This skill covers hardening managed Kubernetes clusters on EKS, AKS, and GKE by implementing Pod Security Standards, network policies, workload identity, RBAC scoping, image admission controls, and runtime security monitoring. It addresses cloud-specific security features including IRSA for EKS, Workload Identity for GKE, and Managed Identities for AKS.
performing-cloud-storage-forensic-acquisition
Perform forensic acquisition and analysis of cloud storage services including Google Drive, OneDrive, Dropbox, and Box by collecting both API-based remote data and local sync client artifacts from endpoint devices.
performing-cloud-penetration-testing-with-pacu
Performing authorized AWS penetration testing using Pacu, the open-source AWS exploitation framework, to enumerate IAM configurations, discover privilege escalation paths, test credential harvesting, and validate security controls through systematic attack simulation.
performing-cloud-native-forensics-with-falco
Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege escalation. Manages Falco rules via the Falco gRPC API and parses Falco alert output. Use when building container runtime security or investigating k8s cluster compromises.
performing-cloud-log-forensics-with-athena
Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic workflows at scale.
performing-cloud-incident-containment-procedures
Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement.
performing-cloud-forensics-with-aws-cloudtrail
Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.
performing-cloud-forensics-investigation
Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services.
performing-cloud-asset-inventory-with-cartography
Perform comprehensive cloud asset inventory and relationship mapping using Cartography to build a Neo4j security graph of infrastructure assets, IAM permissions, and attack paths across AWS, GCP, and Azure.
managing-cloud-identity-with-okta
This skill covers implementing Okta as a centralized identity provider for cloud environments, configuring SSO integration with AWS, Azure, and GCP, deploying phishing- resistant MFA with Okta FastPass, managing lifecycle automation for user provisioning and deprovisioning, and enforcing adaptive access policies based on device posture and risk signals.
implementing-cloud-workload-protection
Implements cloud workload protection using boto3 and google-cloud APIs for runtime security monitoring, process anomaly detection, and file integrity checking on EC2/GCE instances. Scans for cryptomining, reverse shells, and unauthorized binaries. Use when building runtime security controls for cloud compute workloads.