investigating-insider-threat-indicators

# Investigating Insider Threat Indicators ## When to Use Use this skill when: - HR refers a departing employee for monitoring during their notice period - DLP alerts indicate bulk data downloads or transfers to personal storage - UEBA detects anomalous access patterns deviating significantly from peer baselines - Management reports concerns about an employee accessing sensitive data outside their role **Do not use** without proper legal authorization — insider threat investigations must be coordinated with HR, Legal, and Privacy teams before monitoring begins. ## Prerequisites - Legal authorization and HR referral documenting investigation justification - SIEM with DLP, endpoint, email, proxy, and authentication log sources - Data Loss Prevention (DLP) system (Microsoft Purview, Symantec, Forcepoint) with policy alerts - Endpoint monitoring capability (EDR with USB/removable media logging) - HR data feed providing employment status, notice dates, and access entitlements - Chain of custody procedures for evidence preservation ## Workflow ### Step 1: Establish Investigation Scope and Legal Authorization Before any monitoring, ensure proper authorization: ``` INSIDER THREAT INVESTIGATION AUTHORIZATION ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Case ID: IT-2024-0089 Subject: [Employee Name] — [Department] Authorized By: [CISO / General Counsel] Referral Source: HR — Employee submitted resignation, 2-week notice Justification: Employee has acc...