Hunting Playbook: Insider Threats in Microsoft Defender XDR.
The account was trusted.
The device was managed. The sign-in was successful. The user had permission to access the data.
But the behaviour did not fit the person.
Agent Foskett knew insider threat hunting is not about assuming guilt. It is about identifying unusual activity, validating context and determining whether trusted access is being misused, abused or compromised.
Lesson overview
Learn how to hunt for insider threats by correlating Microsoft Defender XDR identity, endpoint and Microsoft 365 activity to identify unusual behaviour, privileged access misuse and suspicious data movement.
Why insider threat hunting matters
The insider threat hunting workflow
Step 1 — Review unusual user activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where AccountDisplayName =~ UserToInvestigate
or AccountObjectId =~ UserToInvestigate
or AccountId =~ UserToInvestigate
| project Timestamp,
AccountDisplayName,
Application,
ActionType,
IPAddress,
City,
CountryCode,
ObjectName,
ActivityType
| order by Timestamp descStep 2 — Find unusual file access volume
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 30d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("FileDownloaded", "FileAccessed", "FileSyncDownloadedFull")
| summarize FileEvents = count(),
Files = make_set(ObjectName, 50),
Applications = make_set(Application, 20),
IPAddresses = make_set(IPAddress, 20),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountDisplayName
| order by FileEvents descStep 3 — Hunt for suspicious sharing activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 30d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("SharingSet", "AddedToSecureLink", "FileShared", "AnonymousLinkCreated")
| project Timestamp,
AccountDisplayName,
Application,
ActionType,
ObjectName,
TargetUserOrGroupName,
IPAddress,
City,
CountryCode
| order by Timestamp descStep 4 — Review activity outside normal hours
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 14d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| extend HourOfDay = datetime_part("hour", Timestamp)
| where HourOfDay < 6 or HourOfDay > 20
| summarize AfterHoursEvents = count(),
Actions = make_set(ActionType, 30),
Objects = make_set(ObjectName, 30),
IPAddresses = make_set(IPAddress, 20),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountDisplayName
| order by AfterHoursEvents descStep 5 — Correlate endpoint collection behaviour
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 14d;
let CollectionTools = dynamic(["7z.exe", "7za.exe", "winrar.exe", "rar.exe", "powershell.exe", "robocopy.exe", "xcopy.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (CollectionTools)
| project Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp descStep 6 — Review privileged access changes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let TimeFrame = 30d;
IdentityDirectoryEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("Add member to role", "Add member to group", "Update user", "Reset password", "Add app role assignment")
| project Timestamp,
ActionType,
AccountUpn,
TargetAccountUpn,
AdditionalFields,
IPAddress
| order by Timestamp descCommon insider threat investigation clues
False positives to consider
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Hunting Playbook Insider Threats in Microsoft Defender XDR
Agent Foskett Academy Lesson 109 teaches defenders how to investigate insider threats using Microsoft Defender XDR, Microsoft 365 activity, identity telemetry, endpoint evidence, data access patterns and KQL hunting workflows.
Learn insider threat hunting with KQL and Microsoft Defender XDR
Insider threat investigations help Microsoft security analysts review unusual user behaviour, privileged access misuse, suspicious file access, external sharing, data movement and post-authentication activity.
Microsoft 365 insider threat investigation tutorial
This lesson explains how to hunt for insider threats, unusual internal behaviour, abnormal downloads, suspicious sharing, privilege misuse and endpoint collection activity using Microsoft security telemetry.
