Insider threats are the hardest category of security incident to detect. The attacker uses legitimate credentials, legitimate tools, and has legitimate reasons to be in most of the systems they access. The only reliable detection method is behavioral analytics based on deviation from established baseline patterns.
These queries and indicators come from insider threat investigations at regulated financial institutions where the stakes of both missing a real threat and incorrectly flagging an innocent employee are extremely high. Every detection here is built around behavioral deviation, not signature matching.
Insider threat investigations require coordination with HR and Legal from the moment an employee is specifically identified as a subject of investigation. Do not proceed with targeted investigation of a named individual without involving these teams. Evidence handling and chain of custody matter for any potential legal action.
Understanding Insider Threat Patterns
Insider threats broadly fall into two categories. Malicious insiders are employees who deliberately exfiltrate data, sabotage systems, or assist external attackers. Negligent insiders cause harm through careless behavior without malicious intent. The detection approach differs significantly between them but the behavioral signals often overlap in the early stages.
The most reliable early indicators across both categories are access pattern changes. An employee who suddenly starts accessing systems or data they have never touched before, or who dramatically increases their access volume in a short period, is generating a behavioral signal worth investigating regardless of intent.
Query 1: Unusual Data Volume Access — Microsoft Sentinel KQL
Establishes a 30-day baseline of file access volume per user and surfaces accounts that significantly exceed their normal pattern. Data staging before exfiltration generates exactly this pattern.
let baseline = DeviceFileEvents
| where Timestamp between (ago(30d) .. ago(1d))
| where ActionType in ("FileRead","FileAccessed","FileDownloaded")
| summarize
BaselineAvg = avg(count()),
BaselineStd = stdev(count())
by AccountName, bin(Timestamp, 1d);
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType in ("FileRead","FileAccessed","FileDownloaded")
| summarize TodayCount = count()
by AccountName
| join kind=inner baseline on AccountName
| where TodayCount > BaselineAvg + (3 * BaselineStd)
| project AccountName, TodayCount,
BaselineAvg=round(BaselineAvg, 0),
Deviation=TodayCount - round(BaselineAvg, 0)
| order by Deviation desc
Query 2: USB and Removable Media Usage — CrowdStrike LogScale
Detects removable media connections from accounts or hosts where this behavior has not been observed in the baseline period. In financial institutions where USB access should be restricted, any removable media connection from a standard user is worth reviewing.
#event_simpleName=RemovableMediaMounted
| groupBy([UserName, ComputerName, DeviceInstanceId],
function=min(timestamp, as=firstSeen))
| where firstSeen > now() - 1d * 1
| join(
{#event_simpleName=RemovableMediaMounted
| where timestamp < now() - 1d * 1
| where timestamp > now() - 30d
| groupBy([UserName, ComputerName],
function=count(as=historicalMounts))},
field=[UserName, ComputerName],
mode=leftanti
)
| table firstSeen UserName ComputerName DeviceInstanceId
| "sort" firstSeen desc
Query 3: After Hours Access to Sensitive Systems — Splunk
Surfaces authentication events to sensitive systems outside normal business hours from standard user accounts. Legitimate after-hours access to sensitive data should be rare and documentable. Unexplained after-hours access to financial or HR systems is a high-priority signal.
index=win_* EventCode=4624 earliest=-30d latest=now
| eval logon_type=coalesce(Logon_Type, LogonType)
| eval account=coalesce(Account_Name, TargetUserName)
| eval computer=coalesce(ComputerName, dest)
| where logon_type IN ("2","3","10")
| where match(computer, "(?i)(fin|hr|payroll|exec|dc|domain|sensitive)")
| eval hour=strftime(_time, "%H")
| where hour < "07" OR hour > "19"
| where NOT match(account, "(?i)(svc_|service|admin|backup|\$$)")
| stats
count as logins,
values(computer) as systems_accessed,
dc(computer) as unique_systems
by account, date_wday
| where unique_systems > 2 OR logins > 10
| sort -logins
Query 4: Email Forwarding Rule Creation
Detecting inbox forwarding rules created to external addresses is one of the most reliable indicators of credential compromise and insider data theft. Legitimate employees rarely set up forwarding to personal external accounts. This query surfaces new forwarding rules created in Exchange or Microsoft 365.
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in (
"Set-Mailbox","New-InboxRule",
"Set-InboxRule","UpdateInboxRules"
)
| where RawEventData contains "ForwardTo"
or RawEventData contains "ForwardingSmtpAddress"
or RawEventData contains "RedirectTo"
| extend ForwardTarget = extract(
'"ForwardTo":"([^"]+)"', 1, tostring(RawEventData))
| where ForwardTarget !endswith your_domain_here
| project Timestamp, AccountDisplayName,
IPAddress, ActionType, ForwardTarget
| order by Timestamp desc
Replace your_domain_here with your actual domain
Query 5: Large File Download or Print Volume
Employees who are planning to leave and exfiltrate data often do so through the most legitimate-looking channels available: downloading from SharePoint, printing documents, or copying to approved cloud storage. This query establishes baseline print volume and surfaces significant deviations.
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "PrintJobCreated"
| summarize
TotalPages = sum(toint(AdditionalFields.NumberOfPages)),
PrintJobs = count()
by AccountName, bin(Timestamp, 1d)
| summarize
AvgDailyPages = avg(TotalPages),
MaxDailyPages = max(TotalPages),
TotalJobs = sum(PrintJobs)
by AccountName
| where MaxDailyPages > AvgDailyPages * 5
and MaxDailyPages > 100
| order by MaxDailyPages desc
Behavioral Indicators Beyond Queries
Technical queries catch data signals. Behavioral indicators require correlation with HR context to have meaning. These are worth knowing because they add weight to technical signals when combined.
- Notice period or pending departure — data access spikes in the weeks before an employee's departure are the most common insider threat pattern in financial institutions
- Performance issues or disciplinary action — employees under review may act preemptively to copy data before access is restricted
- Accessing data outside their role — a finance employee accessing HR data, or an HR employee accessing financial records, has no obvious legitimate reason
- Connecting to systems not visited in baseline period — use the first-time host authentication query from the lateral movement article to surface this
- Using personal devices on corporate network — BYOD or unmanaged device connections to sensitive systems are a common exfiltration vector
Never confront an insider threat subject with your evidence before involving HR and Legal. Doing so destroys evidence, creates legal exposure, and removes any chance of a controlled investigation. Document everything, involve the right stakeholders, and build the evidence chain before any confrontation.
The full insider threat runbook with HR and Legal coordination guidance, evidence chain of custody procedures, and investigation framework is in the IR Runbook Bundle. Join the Intelligence Pack for weekly detections and monthly Office Hours where you can ask insider threat questions directly.
Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49Cancel anytime. 30-day money back guarantee.