Insider threats are the hardest category of security incident to detect. The attacker uses legitimate credentials, legitimate tools, and has legitimate reasons to be in most of the systems they access. The only reliable detection method is behavioral analytics based on deviation from established baseline patterns.

These queries and indicators come from insider threat investigations at regulated financial institutions where the stakes of both missing a real threat and incorrectly flagging an innocent employee are extremely high. Every detection here is built around behavioral deviation, not signature matching.

Legal and HR Coordination Required

Insider threat investigations require coordination with HR and Legal from the moment an employee is specifically identified as a subject of investigation. Do not proceed with targeted investigation of a named individual without involving these teams. Evidence handling and chain of custody matter for any potential legal action.

Understanding Insider Threat Patterns

Insider threats broadly fall into two categories. Malicious insiders are employees who deliberately exfiltrate data, sabotage systems, or assist external attackers. Negligent insiders cause harm through careless behavior without malicious intent. The detection approach differs significantly between them but the behavioral signals often overlap in the early stages.

The most reliable early indicators across both categories are access pattern changes. An employee who suddenly starts accessing systems or data they have never touched before, or who dramatically increases their access volume in a short period, is generating a behavioral signal worth investigating regardless of intent.

Query 1: Unusual Data Volume Access — Microsoft Sentinel KQL

Establishes a 30-day baseline of file access volume per user and surfaces accounts that significantly exceed their normal pattern. Data staging before exfiltration generates exactly this pattern.

let baseline = DeviceFileEvents
| where Timestamp between (ago(30d) .. ago(1d))
| where ActionType in ("FileRead","FileAccessed","FileDownloaded")
| summarize
    BaselineAvg = avg(count()),
    BaselineStd = stdev(count())
    by AccountName, bin(Timestamp, 1d);
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType in ("FileRead","FileAccessed","FileDownloaded")
| summarize TodayCount = count()
    by AccountName
| join kind=inner baseline on AccountName
| where TodayCount > BaselineAvg + (3 * BaselineStd)
| project AccountName, TodayCount,
    BaselineAvg=round(BaselineAvg, 0),
    Deviation=TodayCount - round(BaselineAvg, 0)
| order by Deviation desc

Query 2: USB and Removable Media Usage — CrowdStrike LogScale

Detects removable media connections from accounts or hosts where this behavior has not been observed in the baseline period. In financial institutions where USB access should be restricted, any removable media connection from a standard user is worth reviewing.

#event_simpleName=RemovableMediaMounted
| groupBy([UserName, ComputerName, DeviceInstanceId],
    function=min(timestamp, as=firstSeen))
| where firstSeen > now() - 1d * 1
| join(
    {#event_simpleName=RemovableMediaMounted
     | where timestamp < now() - 1d * 1
     | where timestamp > now() - 30d
     | groupBy([UserName, ComputerName],
         function=count(as=historicalMounts))},
    field=[UserName, ComputerName],
    mode=leftanti
  )
| table firstSeen UserName ComputerName DeviceInstanceId
| "sort" firstSeen desc

Query 3: After Hours Access to Sensitive Systems — Splunk

Surfaces authentication events to sensitive systems outside normal business hours from standard user accounts. Legitimate after-hours access to sensitive data should be rare and documentable. Unexplained after-hours access to financial or HR systems is a high-priority signal.

index=win_* EventCode=4624 earliest=-30d latest=now
| eval logon_type=coalesce(Logon_Type, LogonType)
| eval account=coalesce(Account_Name, TargetUserName)
| eval computer=coalesce(ComputerName, dest)
| where logon_type IN ("2","3","10")
| where match(computer, "(?i)(fin|hr|payroll|exec|dc|domain|sensitive)")
| eval hour=strftime(_time, "%H")
| where hour < "07" OR hour > "19"
| where NOT match(account, "(?i)(svc_|service|admin|backup|\$$)")
| stats
    count as logins,
    values(computer) as systems_accessed,
    dc(computer) as unique_systems
    by account, date_wday
| where unique_systems > 2 OR logins > 10
| sort -logins

Query 4: Email Forwarding Rule Creation

Detecting inbox forwarding rules created to external addresses is one of the most reliable indicators of credential compromise and insider data theft. Legitimate employees rarely set up forwarding to personal external accounts. This query surfaces new forwarding rules created in Exchange or Microsoft 365.

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in (
    "Set-Mailbox","New-InboxRule",
    "Set-InboxRule","UpdateInboxRules"
  )
| where RawEventData contains "ForwardTo"
    or RawEventData contains "ForwardingSmtpAddress"
    or RawEventData contains "RedirectTo"
| extend ForwardTarget = extract(
    '"ForwardTo":"([^"]+)"', 1, tostring(RawEventData))
| where ForwardTarget !endswith your_domain_here
| project Timestamp, AccountDisplayName,
    IPAddress, ActionType, ForwardTarget
| order by Timestamp desc

Replace your_domain_here with your actual domain

Query 5: Large File Download or Print Volume

Employees who are planning to leave and exfiltrate data often do so through the most legitimate-looking channels available: downloading from SharePoint, printing documents, or copying to approved cloud storage. This query establishes baseline print volume and surfaces significant deviations.

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "PrintJobCreated"
| summarize
    TotalPages = sum(toint(AdditionalFields.NumberOfPages)),
    PrintJobs = count()
    by AccountName, bin(Timestamp, 1d)
| summarize
    AvgDailyPages = avg(TotalPages),
    MaxDailyPages = max(TotalPages),
    TotalJobs = sum(PrintJobs)
    by AccountName
| where MaxDailyPages > AvgDailyPages * 5
    and MaxDailyPages > 100
| order by MaxDailyPages desc

Behavioral Indicators Beyond Queries

Technical queries catch data signals. Behavioral indicators require correlation with HR context to have meaning. These are worth knowing because they add weight to technical signals when combined.

Investigation Approach

Never confront an insider threat subject with your evidence before involving HR and Legal. Doing so destroys evidence, creates legal exposure, and removes any chance of a controlled investigation. Document everything, involve the right stakeholders, and build the evidence chain before any confrontation.

Intelligence Pack
Get the complete Insider Threat IR Runbook

The full insider threat runbook with HR and Legal coordination guidance, evidence chain of custody procedures, and investigation framework is in the IR Runbook Bundle. Join the Intelligence Pack for weekly detections and monthly Office Hours where you can ask insider threat questions directly.

Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49

Cancel anytime. 30-day money back guarantee.