Insider Threat Investigation

This scenario covers suspected malicious or negligent activity by an internal user: bulk access to sensitive files outside business hours, access to systems outside the user’s normal scope, or data movement that bypasses approved channels.

Scenario

A UBA or SIEM alert fires on anomalous user behaviour — a corporate account accessed hundreds of files on an OT documentation share between 02:00 and 04:00, a pattern that does not match the user’s historical baseline. The alert includes the username, source IP, accessed resource paths, and a timestamp window as observables.

Create the case

Open Alerts and locate the alert. Click Preview, review the Similar cases tab for prior anomalies tied to the same user or source IP, then select the Insider Threat template from the Import alert as dropdown and click Yes, Import.

The case is created with the following tasks:

Task

Group

Action

Verify authorisation

Identification

Contact the user’s direct manager and HR to confirm whether the activity was planned or approved. Check the user’s calendar and any open change tickets for the access window.

Identify accessed resources

Identification

List all files, directories, and systems touched during the anomalous period. Note the sensitivity classification of each resource — engineering drawings, OT configurations, and customer data warrant immediate escalation.

Check for data exfiltration

Identification

Review proxy, DLP, and email gateway logs for outbound transfers from the user’s workstation. Record destination addresses, transfer volumes, and protocols. Check removable media logs if available.

Assess user risk history

Investigation

Pull the user’s activity logs for the past 30 days. Look for prior anomalies: failed logins, privilege changes, access to systems outside their role, or earlier bulk downloads.

Contain the account

Containment

If the activity cannot be confirmed as authorised, suspend the account and revoke all active sessions. Use the BlockUser responder or coordinate with the identity team. Do not notify the user before consulting HR and Legal.

Add observables and run analyzers

Open the Observables tab and click Add Observable. Add:

  • Username (type other) — the internal account involved.

  • Source IP (type ip) — the workstation or device used.

  • Accessed resource paths (type other) — key directories or file shares accessed.

  • Destination domain or IP (type domain or ip) — if exfiltration was detected.

If a destination domain or IP is present, run threat intelligence analyzers to determine whether it is a known data broker, personal cloud storage service, or infrastructure associated with a competing organisation.

TTPs

From the TTPs tab, add the techniques observed:

  • T1078 Valid Accounts — use of legitimate credentials for unauthorised access.

  • T1083 File and Directory Discovery — bulk enumeration of accessible files.

  • T1005 Data from Local System — collection of data from local or network storage.

  • T1048 Exfiltration Over Alternative Protocol — if data left via FTP, DNS, or another non-HTTP channel.

  • T1567 Exfiltration Over Web Service — if data was uploaded to a cloud service.

  • T1098 Account Manipulation — if the user attempted to elevate privileges or create secondary accounts during the activity window.

Close the case

After all tasks are complete, click Close case. Select:

  • True Positive — confirmed unauthorised access or data theft by an internal user.

  • False Positive — activity was authorised (approved maintenance, delegated access).

  • Indeterminate — activity cannot be confirmed as malicious or authorised.

Set Impact to Yes if sensitive data was accessed or exfiltrated — customer records, OT system configurations, engineering drawings, or financial data all qualify. Before closing a True Positive, confirm that HR and Legal have been notified and that any required regulatory reporting obligations have been reviewed.