IR-007insider-threatv1.0.0

Insider Threat Investigation

⚠️ medium⚠️ high

⏱ Est. Time90m

📋 Steps10 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution2160m

★ View on GitHub

🎯 MITRE ATT&CK

T1078 T1213 T1052.001 T1567.002 T1048.003 T1136 T1531

🔧 Tools Required

uebasiemdlp platformedridentity provider

⚡ Triggers

ueba_anomaly_alerthr_offboarding_triggerdlp_policy_violation_insidersiem_after_hours_accesspeer_manager_reportsecurity_tip_line_report

🔌 Integrations

req

microsoft sentinel ueba

User and Entity Behavior Analytics — entity risk scoring

opt

varonis

File system activity monitoring and data access anomaly detection

opt

splunk ueba

Alternative UEBA — behavior baselining and anomaly detection

req

microsoft purview

DLP evidence collection and legal hold management

opt

servicenow

HR case management integration

Click each step to expand the full procedure, automation hints, and expected outputs.

Assess the reliability and context of the initial indicator. UEBA alerts need baseline context — what is this user's normal behavior score? HR-triggered (resignation, PIP, termination notice) investigations have higher prior probability. Anonymous tips need corroboration. Determine if this is a disgruntled employee, negligent insider, or compromised account scenario. Engage HR to confirm employment status before proceeding.

⚡ Automation Hint

Microsoft Sentinel UEBA: GET https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/ providers/Microsoft.SecurityInsights/entityQueries/{id}?api-version=2022-12-01-preview Splunk UBA: GET https://<splunk_uba>/rest/api/insight/user/<username>

📤 Outputs

investigation_typeuser_risk_scoreemployment_statusinitial_indicator_source