IT OPS
Detect SaaS Charges in Expenses and Open a Security Intake
Scans the corporate-card and expense ledger in Snowflake for recurring SaaS charges that aren't on the approved-vendor list.
How it runs
The automated pipeline, trigger to output.
- TriggerNightly schedule after finance ETL
- ActionQuery 30-day SaaS card/expense chargesSnowflake
- LogicFilter charges not on approved-vendor list
- ActionOpen Linear security-intake issue per merchantLinear
- OutputDM cardholder and post summary to SlackSlack
What it does
Finds unsanctioned SaaS subscriptions by reading expense and corporate-card transactions out of your finance warehouse, matching merchant strings against an approved-vendor catalog, and routing anything new into a security review with the spending employee already identified.
When to use it
Run it nightly or weekly when finance loads card transactions into Snowflake and you want IT/Security to catch tools that bypassed procurement before they accumulate data-sharing risk.
How it works
- 1A nightly schedule fires after the finance ETL completes.
- 2A Snowflake query pulls the last 30 days of card and expense rows tagged as software/subscription merchants.
- 3A logic step normalizes merchant names and filters out anything already in the approved-vendor table, keeping only unmatched recurring charges.
- 4For each surviving merchant, a Linear issue is created in the Security Intake project with the amount, cardholder, and first-seen date.
- 5A Slack DM notifies the cardholder and posts a summary to the #security-intake channel for the reviewing analyst.
Set it up
What you configure once, before turning it on.
- 1Connect SnowflakeWarehouses, queries, shares.
- 2Connect LinearIssues, projects, cycles, triage.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More IT Ops workflows
Daily Building Anomaly Digest to MS Teams
Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.
Indoor Air Quality Breach to Tenant Notice and Work Order
Listens for CO2, VOC, or humidity sensor alerts via webhook, and when a zone exceeds occupant-safety limits it emails affected tenants, opens a Monday remediation task.
Self-Service Reclaim Email for Idle Users
Detects users idle in a SaaS app past the threshold and emails each one a keep-or-release link; unanswered seats after the deadline are auto-flagged for removal.
Outlook Room Conflict Resolver with Approval Gate in Teams
When an Outlook room clashes, proposes a rebooking and asks the bumped meeting's organizer to approve the move in Microsoft Teams before any change is made.
Outlook Room Double-Booking Resolver with Auto-Rebook
Detects when two meetings claim the same Outlook room resource and automatically relocates the lower-priority meeting to a comparable free room.
Monthly Wasted-License Cost Report
Aggregates inactive-seat data across all tracked SaaS apps each month, computes total reclaimable spend, and delivers a ranked cost report to leadership in Notion and Slack.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.