agent hive
Join the Waitlist

IT OPS

Audit departed employees for lingering shadow-SaaS access

On an offboarding webhook, checks Datadog SSO logs and Snowflake expense records for any tools the departing employee used or paid for outside the managed app catalog.

CategoryIT Ops
Enginesim
Difficultyadvanced
Triggerwebhook
Steps6
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerOffboarding webhook firesHTTP webhook
  • ActionPull employee's authenticated apps from DatadogDatadogDatadog
  • ActionPull employee's SaaS expenses from SnowflakeSnowflakeSnowflake
  • LogicMerge and subtract managed-deprovisioning apps
  • ActionOpen Linear revocation task per shadow toolLinearLinear
  • OutputNotify IT channel in Slack with leaver auditSlack

What it does

Offboarding usually covers the apps IT manages, but shadow tools an employee adopted on their own slip through and leave orphaned access. This workflow runs the moment someone is marked as leaving: it gathers every app they authenticated to in Datadog SSO logs and every SaaS vendor tied to them in Snowflake expense data, removes the ones IT already deprovisions, and turns the leftovers into revocation tasks.

When to use it

Wire it to your HRIS or IdP offboarding event. Essential for security and IT teams that need defensible evidence that a leaver's unmanaged tool access was identified and closed.

How it works

  1. 1An offboarding webhook fires with the departing employee's identity.
  2. 2Datadog returns every application that user authenticated to.
  3. 3Snowflake returns SaaS vendors associated with their expenses.
  4. 4A logic step merges both lists and removes apps already covered by standard deprovisioning, leaving only shadow access.
  5. 5A Linear revocation task is created per remaining tool, and Slack notifies the IT channel with the full leaver audit.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect HTTP webhookTrigger any URL on agent actions.
  2. 2
    Connect DatadogMetrics, traces, log search.
  3. 3
    Connect SnowflakeWarehouses, queries, shares.
  4. 4
    Connect LinearIssues, projects, cycles, triage.
  5. 5
    Connect SlackChannels, DMs, threads, mentions.
  6. 6
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  7. 7
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  8. 8
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More IT Ops workflows

Recurring Sensor Fault Root-Cause Investigator

On a schedule, an agent reviews recent Monday work orders and BigQuery telemetry to identify equipment with repeating faults, drafts a root-cause hypothesis with a recommended fix.

Daily Building Anomaly Digest to MS Teams

Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.

Agentic Inactive-Seat Reclamation Review

An agent investigates each idle SaaS seat by correlating SSO login gaps with HR status and ticket history, classifies it as reclaim, hold, or escalate, and drafts a reasoned…

Reconcile SSO logins against expense spend to find unmanaged tools

Joins SSO usage data with expense/payment records in Snowflake to surface tools that are being used but not paid for, or paid for but never logged.

Approved-Seat Deprovision Execution

Fires when an IT approver confirms a seat for removal, then executes deprovisioning via the IdP API and logs the action to an audit table and a Linear cleanup ticket.

HVAC Anomaly Detection to Severity-Routed Work Orders

Ingests building HVAC telemetry via webhook, flags out-of-band temperature, pressure, or runtime readings.

Browse all IT Ops

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows