Skill

detecting-shadow-it-cloud-usage

From asi

Detects shadow IT by analyzing proxy logs, DNS queries, and netflow data with Python pandas; classifies SaaS domains, flags unauthorized services, scores risks, generates reports. For SOC threat hunting and compliance audits.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Shadow IT refers to unauthorized SaaS applications and cloud services used without IT approval. This skill analyzes proxy logs, DNS query logs, and firewall/netflow data to identify unauthorized cloud service usage, classify discovered domains against known SaaS categories, measure data transfer volumes, and flag high-risk services based on security posture and compliance requirements.

SKILL.md

Similar Skills

detecting-shadow-it-cloud-usage

5.9k

Detects shadow IT cloud usage by analyzing proxy, DNS query, and netflow logs with Python pandas for domain classification, traffic volumes, and risk scoring.

3 files

cybersecurity-skills

detecting-shadow-it-cloud-usage

Analyzes proxy, DNS query, and netflow logs using Python pandas to detect Shadow IT: unauthorized SaaS/cloud services. Aggregates traffic by domain, classifies SaaS categories, scores risks, generates JSON reports.

3 files

cybersecurity-skills-zh

zins-audit-shadow-it

Audits shadow IT and SaaS usage via Zscaler Z-Insights: discovers unsanctioned apps, assesses risk scores, monitors CASB usage, tracks data transfers, inventories IoT devices. For security team shadow IT queries.

zscaler

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting Shadow IT Cloud Usage

Overview

When to Use

When investigating security incidents that require detecting shadow it cloud usage

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with pandas, tldextract

Proxy logs (Squid, Zscaler, or Palo Alto format) or DNS query logs

SaaS application catalog/blocklist for classification

Network firewall logs with FQDN resolution (optional)

Steps

Parse proxy access logs and extract destination domains with traffic volumes

Parse DNS query logs to identify resolved cloud service domains

Aggregate traffic by domain using pandas — total bytes, request counts, unique users

Classify domains against known SaaS categories (storage, email, dev tools, AI)

Flag unauthorized services not on the approved application list

Calculate risk scores based on data volume, user count, and service category

Generate shadow IT discovery report with remediation recommendations

Expected Output

JSON report listing discovered cloud services with traffic volumes, user counts, risk scores, and approval status

Top unauthorized services ranked by data exfiltration risk