Insider Threat Detection Report
An insider threat campaign was detected originating from alex.martinez@example.com. The subject conducted systematic reconnaissance of sensitive SharePoint sites, escalated privileges by self-enrolling in the Finance-Admins security group, exfiltrated budget and payroll documents via bulk downloads and external sharing links, and attempted to cover tracks by deleting sharing links and generating decoy file access. The overall risk score of 0.92 indicates a high-severity incident requiring immediate response.
Site enumeration, file discovery, keyword searches
Self-enrollment in security groups, access requests
Bulk file downloads, external sharing, email exfil
Link deletion, decoy file access, evidence destruction
User alex.martinez@example.com downloaded multiple sensitive financial documents (Budget_2024.xlsx, Payroll_Summary.xlsx) within a short time window. This significantly exceeds their normal download baseline.
User created an anonymous sharing link for Budget_2024.xlsx and sent an email to personal@gmail.com with subject 'Q1 Review'. This represents a data exfiltration attempt via two independent channels.
User added themselves to the Finance group and requested direct access to restricted resources. This self-service privilege escalation bypasses normal access request workflows.
Sharing link for Budget_2024.xlsx was deleted shortly after use for data exfiltration. This temporal pattern indicates deliberate evidence destruction to avoid detection.
User enumerated all available SharePoint sites and performed targeted searches for 'budget' and 'payroll' keywords. While individual actions may be benign, this pattern is consistent with insider threat reconnaissance.
Strong detection (81.8%). Strong on escalation, exfiltration. Weak on evasion.