detecting-shadow-it-cloud-usage

Solid

Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.

AI & Automation 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
87
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Shadow IT Cloud Usage ## Overview Shadow IT refers to unauthorized SaaS applications and cloud services used without IT approval. This skill analyzes proxy logs, DNS query logs, and firewall/netflow data to identify unauthorized cloud service usage, classify discovered domains against known SaaS categories, measure data transfer volumes, and flag high-risk services based on security posture and compliance requirements. ## When to Use - When investigating security incidents that require detecting shadow it cloud usage - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `pandas`, `tldextract` - Proxy logs (Squid, Zscaler, or Palo Alto format) or DNS query logs - SaaS application catalog/blocklist for classification - Network firewall logs with FQDN resolution (optional) ## Steps 1. Parse proxy access logs and extract destination domains with traffic volumes 2. Parse DNS query logs to identify resolved cloud service domains 3. Aggregate traffic by domain using pandas — total bytes, request counts, unique users 4. Classify domains against known SaaS categories (storage, email, dev tools, AI) 5. Flag unauthorized services not on the approved application list 6. Calculate risk scores based on data volume, user count, and service category 7. Generate shadow IT ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

detecting-shadow-api-endpoints

Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis, code scanning, and API discovery platforms.

13,115 Updated today
mukul975
AI & Automation Solid

analyzing-cloud-storage-access-patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

13,115 Updated today
mukul975
AI & Automation Solid

detecting-aws-cloudtrail-anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

13,115 Updated today
mukul975
AI & Automation Solid

hunting-for-domain-fronting-c2-traffic

Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate discrepancies using pyOpenSSL for certificate inspection

13,115 Updated today
mukul975
AI & Automation Solid

performing-network-traffic-analysis-with-tshark

Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection, DNS anomaly identification, and IOC extraction from PCAP files

13,115 Updated today
mukul975