mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-14 23:14:55 +03:00
mukul975
915ea611e5
Skills added: - implementing-privileged-access-workstation (IAM, PAW hardening) - detecting-suspicious-oauth-application-consent (cloud security, Graph API) - performing-hardware-security-module-integration (cryptography, PKCS#11) - analyzing-android-malware-with-apktool (malware analysis, androguard) - hunting-for-unusual-service-installations (threat hunting, T1543.003) - detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis) - performing-active-directory-forest-trust-attack (red team, impacket) - implementing-deception-based-detection-with-canarytoken (deception, Canary API) - analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection) - hunting-for-startup-folder-persistence (threat hunting, T1547.001) Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
39 lines
1.8 KiB
Markdown
39 lines
1.8 KiB
Markdown
---
|
|
name: detecting-shadow-it-cloud-usage
|
|
description: Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.
|
|
domain: cybersecurity
|
|
subdomain: cloud-security
|
|
tags: [shadow-IT, SaaS-discovery, proxy-logs, DNS-analysis, netflow, cloud-security, pandas]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
---
|
|
|
|
# Detecting Shadow IT Cloud Usage
|
|
|
|
## Overview
|
|
|
|
Shadow IT refers to unauthorized SaaS applications and cloud services used without IT approval. This skill analyzes proxy logs, DNS query logs, and firewall/netflow data to identify unauthorized cloud service usage, classify discovered domains against known SaaS categories, measure data transfer volumes, and flag high-risk services based on security posture and compliance requirements.
|
|
|
|
## Prerequisites
|
|
|
|
- Python 3.9+ with `pandas`, `tldextract`
|
|
- Proxy logs (Squid, Zscaler, or Palo Alto format) or DNS query logs
|
|
- SaaS application catalog/blocklist for classification
|
|
- Network firewall logs with FQDN resolution (optional)
|
|
|
|
## Steps
|
|
|
|
1. Parse proxy access logs and extract destination domains with traffic volumes
|
|
2. Parse DNS query logs to identify resolved cloud service domains
|
|
3. Aggregate traffic by domain using pandas — total bytes, request counts, unique users
|
|
4. Classify domains against known SaaS categories (storage, email, dev tools, AI)
|
|
5. Flag unauthorized services not on the approved application list
|
|
6. Calculate risk scores based on data volume, user count, and service category
|
|
7. Generate shadow IT discovery report with remediation recommendations
|
|
|
|
## Expected Output
|
|
|
|
- JSON report listing discovered cloud services with traffic volumes, user counts, risk scores, and approval status
|
|
- Top unauthorized services ranked by data exfiltration risk
|