insider threat / data exfiltration — quick-start

checklist

1. do not confront or notify the subject employee yet — premature disclosure destroys evidence and may accelerate exfiltration.
2. preserve the subject's endpoint image before any policy-mandated auto-wipe or MDM remote-wipe triggers.
3. export DLP alerts for the subject for 90 days — every flagged download, forward, print, or external transfer.
4. pull email send logs for the subject — outbound volume spike, personal-address recipients, large attachments.
5. export cloud storage sync logs — Dropbox, Box, OneDrive, Google Drive upload events for the subject account.
6. pull VPN session logs — unusual after-hours or off-network access patterns for the subject.
7. export GitHub/GitLab clone and fork logs for any repo the subject had access to.
8. pull badge access logs if available — late stays or off-hours access corroborate digital exfil window.
9. engage legal and HR before interviewing — attorney-client privilege over the investigation may depend on who initiates contact.
10. begin the primary tool path below — insider threat correlator and DLP event timeline builder.

primary tools

1. 01insider threat behavioral indicator scorerdrop multiple forensic artifact csvs for a specific user · score against published insider threat behavioral indicators · data staging · unusual access · policy violations · communication patterns · produce risk profile · runs locally
2. 02data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
3. 03peer group statistical outlier analyzerdrop artifact sets for multiple users · compute per-user feature vectors · identify statistical outliers · surface the user whose behavior differs most from their peers · peer comparison charts · runs locally
4. 04time-of-day activity fingerprinterdrop logon evtx csv or activity logs for a user · build 24-hour activity fingerprint · compare two time periods · chi-squared test for pattern change · detect when a different person used the account · account sharing detection · runs locally
5. 05user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
6. 06copy-paste behavior and data lineage tracerdrop clipboard history exports · lnk file access times · recently opened files csvs · correlate what was copied from where and pasted where · trace data lineage across applications · build evidence of deliberate data extraction · runs locally
7. 07user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
8. 08credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally

go deeper