Agent Foskett Academy • Lesson 116 • Incident Response Workflow Series

Incident Response Workflow: Insider Threat Investigation in Microsoft Defender XDR.

There was no malware alert.

No ransomware note. No obvious phishing email. No blocked executable.

Just a trusted user downloading files, accessing systems and moving data in a way that did not fit the normal pattern.

Agent Foskett knew this investigation was not about proving a tool was malicious. It was about determining whether legitimate access was being misused, whether the user was compromised, or whether normal behaviour had crossed into risk.

Agent Foskett Academy lesson investigating insider threats in Microsoft Defender XDR
Lesson overview

Learn how to investigate suspected insider threats by correlating Microsoft Defender XDR identity, endpoint, cloud and file activity to identify unusual user behaviour, abnormal data access and potential misuse of trusted access.

Review identity and access patterns
Investigate file and cloud activity
Correlate endpoint and network evidence
Build an evidence-based timeline

Why insider threat investigations matter

Insider threat investigations are different because the activity may be performed by a legitimate user with valid access. The challenge is proving context, intent, scope and risk without jumping to conclusions.
Trusted access can still create riskUsers may have legitimate permissions, but abnormal downloads, unusual access patterns, privilege misuse or data movement can still indicate a serious security issue.
Behaviour matters as much as malwareThere may be no malicious executable. The evidence may come from file access, cloud activity, endpoint usage, sign-in behaviour and business context.
Correlation prevents assumptionsIdentity, endpoint, cloud and file telemetry must be reviewed together so defenders can separate legitimate work from suspicious or policy-violating behaviour.

The insider threat investigation workflow

Agent Foskett treats insider threat cases as evidence-led investigations that require careful validation, preservation and escalation.
1. Confirm the reported concernStart with the report, alert or business concern. Identify the user, timeframe, data involved and why the behaviour appears unusual.
2. Review identity activityCheck sign-ins, locations, devices, authentication methods and any recent access changes that may explain or increase the risk.
3. Analyse cloud and file activityReview Microsoft 365, SharePoint, OneDrive and Exchange activity for abnormal access, bulk downloads, sharing changes or unusual data movement.
4. Investigate endpoint behaviourLook for compression tools, sync clients, removable media usage, scripting, unusual applications and file copy activity on the user device.
5. Review network destinationsCheck whether data moved to cloud storage, personal email, file-sharing services, unmanaged locations or suspicious external infrastructure.
6. Preserve and escalate evidenceDocument findings, preserve evidence and involve HR, legal, management or privacy stakeholders according to organisational policy.

Step 1 — Review the user sign-in history

Start with the user account and determine whether the activity occurred from expected locations, devices and authentication patterns.
step-1-review-user-signins.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ UserToInvestigate
| project Timestamp,
          AccountUpn,
          ActionType,
          IPAddress,
          Location,
          DeviceName,
          FailureReason
| order by Timestamp asc

Step 2 — Summarise cloud activity for the user

Cloud activity helps identify whether the user accessed, downloaded, shared or modified large amounts of Microsoft 365 content.
step-2-summarise-cloud-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where AccountDisplayName =~ UserToInvestigate or AccountObjectId has UserToInvestigate
| summarize EventCount = count(),
            Actions = make_set(ActionType, 50),
            Apps = make_set(Application, 20),
            IPAddresses = make_set(IPAddress, 50),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by AccountDisplayName
| order by EventCount desc

Step 3 — Hunt for high-volume file activity

Large file creation, modification or copy activity may indicate bulk staging, collection or preparation for exfiltration.
step-3-high-volume-file-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
let UserToInvestigate = "user";
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessAccountName =~ UserToInvestigate
| summarize FileEvents = count(),
            FileNames = make_set(FileName, 50),
            Folders = make_set(FolderPath, 20),
            Devices = make_set(DeviceName, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by InitiatingProcessAccountName, ActionType
| order by FileEvents desc

Step 4 — Look for compression and staging tools

Insiders and compromised users may compress files before moving them to external storage or cloud services.
step-4-compression-and-staging-tools.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
let TimeFrame = 14d;
let UserToInvestigate = "user";
let StagingTools = dynamic(["7z.exe", "winrar.exe", "rar.exe", "zip.exe", "tar.exe", "powershell.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where AccountName =~ UserToInvestigate
| where FileName in~ (StagingTools)
   or ProcessCommandLine has_any ("Compress-Archive", ".zip", ".7z", ".rar")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Step 5 — Review external network destinations

Network evidence can show uploads to external storage, file-sharing platforms or unmanaged destinations.
step-5-external-network-destinations.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
let TimeFrame = 14d;
let UserToInvestigate = "user";
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessAccountName =~ UserToInvestigate
| where isnotempty(RemoteUrl) or isnotempty(RemoteIP)
| summarize ConnectionCount = count(),
            RemoteUrls = make_set(RemoteUrl, 50),
            RemoteIPs = make_set(RemoteIP, 50),
            Processes = make_set(InitiatingProcessFileName, 20),
            Devices = make_set(DeviceName, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by InitiatingProcessAccountName
| order by ConnectionCount desc

Step 6 — Correlate insider activity with alerts

Alerts may provide additional evidence that the user account, device or data activity is already being flagged by Microsoft Defender XDR.
step-6-correlate-with-alerts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
let TimeFrame = 14d;
let UserToInvestigate = "user";
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where AccountName =~ UserToInvestigate
   or AccountUpn has UserToInvestigate
| project Timestamp,
          AlertId,
          AccountName,
          AccountUpn,
          EntityType,
          EvidenceRole,
          DeviceName,
          RemoteIP
| order by Timestamp desc

Step 7 — Build the user activity timeline

A timeline helps explain whether the activity was a one-off event, a gradual pattern or a coordinated sequence of suspicious actions.
step-7-build-user-activity-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
let IdentityTimeline =
    IdentityLogonEvents
    | where Timestamp > ago(TimeFrame)
    | where AccountUpn =~ UserToInvestigate
    | project Timestamp, Source = "IdentityLogonEvents", Account = AccountUpn, Detail = strcat(ActionType, " from ", IPAddress);
let CloudTimeline =
    CloudAppEvents
    | where Timestamp > ago(TimeFrame)
    | where AccountDisplayName =~ UserToInvestigate
    | project Timestamp, Source = "CloudAppEvents", Account = AccountDisplayName, Detail = tostring(ActionType);
union IdentityTimeline, CloudTimeline
| order by Timestamp asc

Insider threat investigation clues

These clues do not prove malicious intent by themselves. They become stronger when several appear together in the same timeline.
Unusual volume of accessThe user downloads, opens, copies or modifies significantly more files than usual for their role or recent behaviour.
Sensitive data accessThe activity involves finance, HR, customer, intellectual property, executive or regulated information.
Timing does not fit normal workActivity occurs outside normal hours, during notice periods, before resignation, or from unusual locations.
Use of staging toolsCompression tools, scripting, removable storage or sync utilities appear near the suspicious data access.
External sharing or uploadsData appears to move toward personal cloud storage, file-sharing services, external email or unmanaged destinations.
Privilege misuseThe user accesses systems, mailboxes, shares, admin tools or privileged functions outside their normal responsibilities.

False positives to consider

Insider threat investigations must be careful, fair and evidence based. Many suspicious-looking actions can have legitimate explanations.
Project deadlinesLarge file access may be normal during migration, audit, tender, legal discovery or project delivery activities.
Role changesUsers moving teams may access unfamiliar systems while transitioning responsibilities.
Approved exportsFinance, HR, operations and engineering teams may legitimately export reports or datasets.
IT administrationHelpdesk, security and systems administrators may access unusual devices, accounts or directories as part of their role.
Cloud sync behaviourOneDrive, SharePoint sync clients and backup tools can generate high-volume file events.
Compromised account possibilityThe user may not be malicious. Their account may have been compromised and used by an external attacker.

Investigation checklist

Use this checklist before escalating or closing a suspected insider threat investigation.
Is the account compromised?Validate whether suspicious behaviour could be caused by credential theft, risky sign-ins or session misuse.
Is the access normal for the role?Compare the activity against the user job function, recent projects and historical behaviour.
What data was involved?Identify whether sensitive, regulated, financial, customer or intellectual property data was accessed or moved.
Was data copied or exfiltrated?Review downloads, external sharing, USB activity, compression tools, cloud uploads and network destinations.
Has evidence been preserved?Preserve logs, timelines, files, screenshots and investigation notes before taking disruptive action.
Who needs to be involved?Escalate according to policy, including security leadership, HR, legal, privacy, management or executive stakeholders.

Related Agent Foskett Academy lessons

These lessons help support insider threat investigations.
Hunting Playbook: Credential TheftInvestigate suspicious authentication, token usage and compromised user accounts.
Hunting Playbook: Risky Sign-insValidate identity risk, sign-in behaviour and suspicious access attempts.
Incident Response Workflow: Compromised User AccountReconstruct attacker activity after a user account compromise.
Incident Response Workflow: Business Email CompromiseInvestigate mailbox misuse, financial fraud indicators and post-compromise activity.
Investigating IdentityLogonEventsUnderstand identity sign-in telemetry inside Microsoft Defender XDR.
Building Reusable Hunting QueriesTurn investigation logic into repeatable KQL workflows.

Coming next

The Incident Response Workflow series continues with data exfiltration investigations.
Lesson 117 — Incident Response Workflow: Data ExfiltrationNext, Agent Foskett investigates suspicious data movement, cloud uploads, file downloads, external sharing and evidence that sensitive information may have left the organisation.
Why this mattersInsider threat investigations often lead directly into data exfiltration analysis. The next lesson focuses on proving what data moved, where it went and how defenders should respond.

Final thought

Insider threat investigations require discipline, context and evidence.
Agent Foskett mindsetDo not assume intent from a single event. Build the timeline, validate the behaviour, preserve the evidence and let the telemetry support the conclusion.
Incident Response Workflow SeriesLesson 116 connects identity, endpoint, cloud and file activity into a careful investigation workflow for suspected insider threats.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Incident Response Workflow Insider Threat Investigation in Microsoft Defender XDR

Agent Foskett Academy Lesson 116 teaches defenders how to investigate suspected insider threats using Microsoft Defender XDR identity, endpoint, cloud, file and network telemetry.

Learn insider threat investigation with Microsoft Defender XDR and KQL

Insider threat investigations help Microsoft security analysts review unusual user behaviour, abnormal data access, file movement, privilege misuse, endpoint activity and cloud activity using KQL workflows.

Microsoft Defender XDR insider threat investigation tutorial

This lesson explains how to investigate suspected insider threats, validate business context, preserve evidence and determine whether trusted access is being misused or whether the account is compromised.