Agent Foskett Academy • Lesson 109 • Hunting Playbook Series

Hunting Playbook: Insider Threats in Microsoft Defender XDR.

The account was trusted.

The device was managed. The sign-in was successful. The user had permission to access the data.

But the behaviour did not fit the person.

Agent Foskett knew insider threat hunting is not about assuming guilt. It is about identifying unusual activity, validating context and determining whether trusted access is being misused, abused or compromised.

Agent Foskett Academy lesson hunting insider threats in Microsoft Defender XDR
Lesson overview

Learn how to hunt for insider threats by correlating Microsoft Defender XDR identity, endpoint and Microsoft 365 activity to identify unusual behaviour, privileged access misuse and suspicious data movement.

Review unusual user behaviour
Correlate file, cloud and endpoint activity
Separate authorised access from misuse
Build a defensible investigation timeline

Why insider threat hunting matters

Insider threat investigations are sensitive because the activity may involve legitimate permissions, trusted accounts and normal business tools. The job of the defender is to investigate behaviour, context and evidence without jumping to conclusions.
Trusted access can still be riskyAn insider or compromised trusted account may access data, download files or use privileged rights in ways that are technically allowed but operationally unusual.
Context mattersRole, department, location, working hours, device, project access and recent business activity all help determine whether behaviour makes sense.
Evidence must be defensibleInsider threat investigations require clear timelines, careful language and strong evidence because the outcome can involve people, HR and legal teams.

The insider threat hunting workflow

Agent Foskett approaches insider threat hunting as a structured evidence review, not a single alert.
1. Identify the unusual activityStart with the user, action, file, device, location or privilege event that triggered concern.
2. Establish normal behaviourCompare the activity with the user's normal sign-in times, devices, locations, file access and business role.
3. Review data accessLook for unusual file reads, downloads, sharing, deletions, archive activity or access to sensitive locations.
4. Check identity and privilege activityReview role changes, group membership, administrative actions, risky sign-ins and authentication context.
5. Correlate endpoint behaviourLook for compression tools, removable media activity, unusual processes, command-line usage and unexpected network connections.
6. Build the timelineCreate a chronological sequence showing what happened before, during and after the suspicious activity.

Step 1 — Review unusual user activity

Start by reviewing broad activity for the user across Microsoft 365 and cloud workloads.
step-1-review-user-cloud-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where AccountDisplayName =~ UserToInvestigate
   or AccountObjectId =~ UserToInvestigate
   or AccountId =~ UserToInvestigate
| project Timestamp,
          AccountDisplayName,
          Application,
          ActionType,
          IPAddress,
          City,
          CountryCode,
          ObjectName,
          ActivityType
| order by Timestamp desc

Step 2 — Find unusual file access volume

A sudden increase in file access or downloads may indicate data collection or exfiltration preparation.
step-2-unusual-file-access-volume.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TimeFrame = 30d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("FileDownloaded", "FileAccessed", "FileSyncDownloadedFull")
| summarize FileEvents = count(),
            Files = make_set(ObjectName, 50),
            Applications = make_set(Application, 20),
            IPAddresses = make_set(IPAddress, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by AccountDisplayName
| order by FileEvents desc

Step 3 — Hunt for suspicious sharing activity

External sharing, anonymous links or unusual sharing destinations can be important insider threat signals.
step-3-suspicious-sharing-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
let TimeFrame = 30d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("SharingSet", "AddedToSecureLink", "FileShared", "AnonymousLinkCreated")
| project Timestamp,
          AccountDisplayName,
          Application,
          ActionType,
          ObjectName,
          TargetUserOrGroupName,
          IPAddress,
          City,
          CountryCode
| order by Timestamp desc

Step 4 — Review activity outside normal hours

After-hours activity is not automatically malicious, but it can help highlight behaviour that needs context.
step-4-after-hours-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 14d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| extend HourOfDay = datetime_part("hour", Timestamp)
| where HourOfDay < 6 or HourOfDay > 20
| summarize AfterHoursEvents = count(),
            Actions = make_set(ActionType, 30),
            Objects = make_set(ObjectName, 30),
            IPAddresses = make_set(IPAddress, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by AccountDisplayName
| order by AfterHoursEvents desc

Step 5 — Correlate endpoint collection behaviour

Insider investigations should check whether files were compressed, staged or moved using endpoint tools.
step-5-endpoint-collection-behaviour.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TimeFrame = 14d;
let CollectionTools = dynamic(["7z.exe", "7za.exe", "winrar.exe", "rar.exe", "powershell.exe", "robocopy.exe", "xcopy.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (CollectionTools)
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Step 6 — Review privileged access changes

Privileged role activity can turn an insider investigation into a high-risk escalation.
step-6-privileged-access-changes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let TimeFrame = 30d;
IdentityDirectoryEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("Add member to role", "Add member to group", "Update user", "Reset password", "Add app role assignment")
| project Timestamp,
          ActionType,
          AccountUpn,
          TargetAccountUpn,
          AdditionalFields,
          IPAddress
| order by Timestamp desc

Common insider threat investigation clues

No single clue proves malicious intent. The strongest cases combine multiple behaviours that do not fit the user, role or business context.
Unusual data volumeThe user accesses or downloads far more files than normal, especially from sensitive locations.
Access outside role expectationsThe user accesses data unrelated to their team, project, customer or job function.
After-hours activityThe activity happens at unusual times and does not align with normal work patterns or business deadlines.
External sharingFiles are shared externally, anonymous links are created or sensitive content is sent outside the organisation.
Collection behaviourEndpoint telemetry shows compression, copying, scripting or bulk file movement before data leaves the environment.
Privilege misuseThe user changes permissions, adds group membership or uses administrative rights in an unusual way.

False positives to consider

Insider threat hunting must be careful. Many behaviours that look suspicious can be legitimate when business context is understood.
Project deadlinesA user may download many files before a deadline, audit, migration or customer handover.
Role changesNew responsibilities can explain access to different systems, repositories or data locations.
Travel and remote workLocation, time and device patterns may change during travel or remote work periods.
IT administrationAdmins may use unusual tools, elevated privileges and bulk operations as part of normal support work.
Data migrationBulk downloads, sync activity and sharing changes may be part of approved migration or archiving activity.
Shared accounts or devicesShared workstations and legacy accounts can make attribution more difficult.

Investigation checklist

Use this checklist before escalating or closing an insider threat investigation.
What triggered the concern?Document the original signal, user, timestamp, device, file, action and source system.
Does the user normally perform this action?Compare the activity against the user's role, team, history and business need.
Was sensitive data involved?Identify whether the files, sites, mailboxes or systems contain regulated, customer or confidential data.
Was data moved or shared?Check downloads, external sharing, email forwarding, archive creation and removable media activity.
Was privilege used or changed?Review role assignments, group changes, administrative actions and access modifications.
Is this a people-sensitive case?Escalate carefully through the correct security, HR, legal and management channels when required.

Related Agent Foskett Academy lessons

These lessons support insider threat investigations across identity, endpoint and cloud activity.
Hunting Playbook: Risky Sign-insReview suspicious authentication patterns before assessing user behaviour.
Hunting Playbook: Credential TheftDetermine whether suspicious insider-like behaviour could actually be a compromised account.
Hunting Playbook: Persistence MechanismsLook for persistence activity when trusted accounts or endpoints behave unusually.
Investigating IdentityDirectoryEventsUnderstand directory changes, role activity and account modifications.
Investigating DeviceProcessEventsReview endpoint process activity linked to collection, staging or exfiltration.
Building Reusable Hunting QueriesTurn insider threat review logic into a repeatable investigation workflow.

Coming next

The Hunting Playbook series continues with ransomware investigations.
Lesson 110 — Hunting Playbook: RansomwareNext, Agent Foskett investigates ransomware behaviour across endpoint telemetry, file activity, process execution, encryption patterns and recovery evidence.
Why this mattersInsider threat hunting focuses on trusted access and unusual behaviour. Ransomware hunting focuses on destructive behaviour, encryption activity and rapid containment.

Final thought

Insider threat investigations demand precision, context and restraint.
Agent Foskett mindsetDo not investigate people by assumption. Investigate behaviour, timeline, access, data movement and evidence.
Hunting Playbook SeriesLesson 109 connects identity, endpoint and Microsoft 365 activity into a careful insider threat investigation workflow.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Hunting Playbook Insider Threats in Microsoft Defender XDR

Agent Foskett Academy Lesson 109 teaches defenders how to investigate insider threats using Microsoft Defender XDR, Microsoft 365 activity, identity telemetry, endpoint evidence, data access patterns and KQL hunting workflows.

Learn insider threat hunting with KQL and Microsoft Defender XDR

Insider threat investigations help Microsoft security analysts review unusual user behaviour, privileged access misuse, suspicious file access, external sharing, data movement and post-authentication activity.

Microsoft 365 insider threat investigation tutorial

This lesson explains how to hunt for insider threats, unusual internal behaviour, abnormal downloads, suspicious sharing, privilege misuse and endpoint collection activity using Microsoft security telemetry.