Exposing Insider Threats through Data Protection, Identity, and HR Context

Insider threats pose a growing risk to organizations. Whether insiders take malicious actions, exhibit negligent behavior, or make accidental errors, they have the potential to cause significant harm to an organization’s assets, sensitive data, and reputation.

Insiders can pose a variety of risks, from stealing confidential data and intellectual property to disrupting systems. Understanding user behavior patterns, correlating activity across multiple data sources, and detecting behavioral anomalies early are critical to identifying both malicious insiders and negligent users before they cause significant harm.

CrowdStrike Falcon® Data Protection and CrowdStrike Falcon® Next-Gen Identity Security, combined with CrowdStrike Falcon® Next-Gen SIEM, enable customers to quickly detect and respond to insider threats. Through the new Insider Threat Analytics and User Activity Investigation dashboards, both in Falcon Next-Gen SIEM, organizations can leverage user behavior analytics, data access patterns, risk indicator scoring, and policy violation alerts to identify and investigate insider risks. 

In this blog, we detail the dashboard features that can detect insider threats and how customers can leverage this tool for proactive defense. We also share example attack scenarios to show how CrowdStrike Falcon detects insider threat techniques and outline how these dashboards support a complete insider threat program.

Building an Insider Threat Detection Program with CrowdStrike Falcon

Effective insider threat detection requires a robust strategy that combines behavioral analytics, multi-source correlation, policy enforcement, and streamlined investigation workflows. The CrowdStrike Falcon - Insider Threat Analytics and CrowdStrike Falcon Data Protection - User Activity Investigation dashboards implement the following capabilities to support a complete insider threat program:

1. Multi-Layer Detection Architecture

The dashboards correlate telemetry across multiple security layers to detect insider threat indicators at every stage of an attack:

• Identity Protection Layer: Monitor authentication anomalies, privilege escalations, and indicators of credential compromise through identity risk scores.
• Data Protection Layer: Track data egress patterns including large transfers, unusual destinations, off-hours activity, and policy violations through Falcon Data Protection detections and DataEgress events.
• Endpoint Layer: Detect data movement from non-standard endpoints including servers, domain controllers, and cloud instances through the Unusual Endpoints hunting section.
• HR Context Layer: Enhance monitoring for new and departing employees.
• Cross-Layer Event Correlation: Link activities across all layers to detect insider attacks in their early stages:
  • Combine Falcon Data Protection detections and data egress events with source user identity risk score and HR employment status.
  • Identify risk indicators based on behaviors and activity logs from the above sources, with thresholds and scoring that can be customized to organization policies and baselines.

2. Advanced Behavioral Analytics and Hunting Leads

The dashboards establish baselines for user behavior and monitor deviations to identify insider threats.

• Statistical Baseline Establishment: Create behavioral baselines using configurable historical periods (7-30+ days).
• First-Seen Analysis: Detect new “source user - data egress destination” combinations and device usage patterns to identify insiders engaging in novel activities that deviate from established patterns, which can indicate policy violations or unauthorized activity. The dashboards surface:
  • New Destinations: Compare first-time web upload destinations to individual user baselines.
  • USB Device Monitoring: Track new removable storage device usage with baseline comparison.
  • Destination Account Analysis: Extract and monitor destination account domains to identify suspicious ones.
• Rare Event Detection: Identify statistically anomalous destinations and activities based on organizational frequency patterns.
• Temporal Anomaly Detection: Identify suspicious activity during off-hours, including weekends.
• Unusual Endpoint for Data Egress: Monitor data egress from non-desktop systems (servers, domain controllers, cloud instances).

3. Risk-Based Prioritization

A risk-based prioritization framework enables the organization to prioritize responses based on the severity and likelihood of a threat. The dashboards accelerate investigation workflows through automated risk scoring and user ranking:

• Dynamic Risk Scoring: Combine identity, behavioral, HR status, and data egress indicators to calculate per-user risk scores.
• High-Risk User Identification: Surface users with elevated risk scores for immediate investigation.
• Configurable Thresholds: Adjust minimum indicator counts and select which indicators to include based on organizational priorities.

4. Policy and Compliance Framework

Data protection policies ensure adherence to regulations and security best practices. The dashboards provide visibility into policy effectiveness and coverage:

• Falcon Data Protection Policy Enforcement Visibility: Track Falcon Data Protection policy actions (Monitored, Blocked, Allowed, Simulated) across all egress channels.
• Coverage Assessment: Monitor protected vs. unprotected data egress to identify policy gaps.
• Detection Analytics: Analyze detections by severity, type, content patterns, and sensitivity labels.

5. Investigation and Response Capabilities

When a potential insider threat is detected, the dashboards accelerate investigation through interactive workflows and cross-platform integration:

• Timeline Analysis: Reconstruct attack chains to understand the full scope of the threat via event timelines for selected users.
• User Context: Integrate identity risk scores, HR employment status, and user attributes to enrich investigations. 
• Interactive Filtering: Enable filtering across multiple dimensions (severity, channel, policy, content type).
• Advanced Event Search: Get direct links for in-depth event investigation.

Introducing the Insider Threat Analytics Dashboard

Design, Capabilities, and Requirements

The “CrowdStrike Falcon - Insider Threat Analytics” dashboard features six specialized analytical sections designed to aid in risk assessment and investigation. Available to organizations with Falcon Data Protection and Falcon Next-Gen Identity Security, the dashboard combines automated risk indicator scoring with behavioral hunting capabilities to identify high-risk users and suspicious activity patterns requiring further investigation.

The dashboard implements a progressive investigation workflow that guides analysts from risk identification to behavioral hunting:

• Insider Risk Indicators surface high-risk users through automated scoring
• Falcon Data Protection Detection Analytics provide detection pattern analysis and user selection
• Hunting Leads sections (four sections) target specific behavioral anomalies: rare destinations, first-seen activities, unusual endpoints, and off-hours activity

This architecture enables filter-and-focus investigation: Analysts select high-risk users in top sections, applying them as global filters to narrow analysis across all remaining sections. Interactive widgets support both dashboard-internal refinement and cross-dashboard pivoting to the companion User Activity Investigation dashboard for in-depth analysis of data egress events. The design separates risk-based hunting (this dashboard) from detailed event investigation (companion dashboard), optimizing both workflow efficiency and system performance by distributing query load across two focused views.

The dashboard's risk scoring methodology synthesizes telemetry from critical sources including data movement (Falcon Data Protection), identity behavior (Falcon Next-Gen Identity Security), and employee lifecycle (Workday)  to detect insider threats that single-source monitoring would miss. This correlation transforms isolated security signals into contextualized risk intelligence: Falcon Data Protection detections reveal what data moved and where, Falcon Next-Gen Identity Security provides behavioral risk context, and Workday identifies high-risk employment status. The result is multi-dimensional risk scoring where, for example, a user egressing confidential data to a rare destination while exhibiting high identity risk scores receives compounded risk points that elevate them above users triggering individual indicators. This enables analysts to prioritize investigations based on holistic threat profiles rather than individual alerts.

Risk scoring is enhanced through an integration with Workday HR data to identify departing employees. The Insider Risk - Workday Leavers application in CrowdStrike Falcon® Foundry automatically syncs employee termination data and enables two high-value risk indicators that substantially increase risk scores when departing employees exhibit suspicious data egress behaviors. While optional, this integration is strongly recommended as departing employees represent one of the highest-priority insider threat scenarios.

A supplementary requirement for maximizing this dashboard’s capabilities is ensuring Content Inspection is properly enabled across Falcon Data Protection policies. This helps ensure visibility into sensitive data movement across your environment. Content Inspection enables the dashboard to surface sensitivity labels and content patterns in Falcon Data Protection detections, powering a specific set of risk indicators that elevate risk scores when confidential data egress activities are detected. Also, by analyzing these patterns through the dashboard's Detection Analytics section, security teams can quantify which users are handling sensitive data and prioritize investigations based on the sensitivity context.

Next, we’ll take a closer look at individual sections of the Insider Threat Analytics dashboard.

Insider Risk Indicators

This section identifies and ranks users with the highest insider risk based on a set of predefined risk indicators that compound into a total risk score. The indicators combine Falcon Data Protection and Falcon Next-Gen Identity Security telemetry and Workday employment status to calculate total risk scores (1-100 points per user).

The risk scoring methodology combines 25 indicators including specific security events (Falcon Data Protection detections, sensitive data handling, rare destinations) and behavioral/contextual patterns (employment status, identity risk, data egress volume anomalies). Analysts can customize risk calculations through configurable parameters — selecting which indicators to include, filtering by employee status, and setting minimum indicator count thresholds — allowing security teams to tune risk scoring based on their environment and investigation priorities.

Note: All dashboard screenshots show a test instance. 

Falcon Data Protection Detection Analytics

This section provides in-depth analysis of Falcon Data Protection detections through statistical breakdowns, trend analysis, and user-focused drill-down functionality. Analysts can explore detection patterns across multiple dimensions including severity levels (Critical, High, Medium, Low), detection types (anomaly-based vs. rule-based), response actions (Blocked, Allowed, Monitored, Simulated), egress channels (Web, USB), sensitivity labels, and content patterns.

The section features visualizations including Detection Count and Data Volume over Time for trend analysis, Detection Severity to Response Action mapping (sankey diagram) revealing policy enforcement patterns, and Detection Count by Sensitivity Labels and Content Patterns for understanding what types of sensitive data are triggering detections. The Detection Summary by User table enables drill-down investigation, displaying each user's detection counts, highest severity levels, data volumes, and file types — with direct links to the Falcon Data Protection Detections page and Falcon Next-Gen Identity Security profiles, and the ability to pivot to the companion User Activity Investigation dashboard. This multi-dimensional analysis enables security teams to detect insider threats and prioritize investigations based on detection patterns and user behavior, while identifying policy gaps and tuning detection rules to improve Falcon Data Protection policy effectiveness.

Hunting Leads - Data Egress Rare Events

This section identifies users engaging in data egress to uncommon destinations that may indicate unauthorized data transfer or policy violations. It analyzes rare web destinations and destination account domains based on organizational frequency patterns, identifies the least frequently accessed destinations company-wide, and surfaces users who access these statistical outliers.

By default, the section identifies the top 10 rarest web destinations and top 5 rarest destination account domains (extracted from cloud username fields), with configurable thresholds allowing analysts to adjust sensitivity. Interactive widgets display user distribution across rare destinations through pie charts, with detailed summary tables providing event counts, data volumes, destinations, and timestamps for investigation. Analysts can select users to apply as global filters, or pivot to the User Activity Investigation dashboard for detailed forensic analysis of flagged user activity. This frequency-based analysis enables detection of uncommon data egress destinations, use of unauthorized personal accounts, or access to suspicious destinations that fall outside normal organizational data movement patterns.

Additional Hunting Capabilities

The dashboard includes three additional hunting lead sections targeting specific behavioral anomalies:

• Hunting Leads - Data Egress First-seen Activity: Identifies users exhibiting new data egress behaviors that deviate from their established patterns, potentially indicating policy violations or unauthorized activity. This section analyzes first-seen web destinations, destination account domains (extracted from cloud usernames), and USB storage devices based on individual users’ historical activity. It compares recent activity within a configurable assessment window (default: 7 days) against historical baselines to detect behavioral changes. Analysts can configure domain exclusions for known legitimate services and adjust the assessment period to balance detection sensitivity with investigation volume, enabling identification of users suddenly accessing new cloud services, connecting unfamiliar storage devices, or egressing data to previously unseen external accounts.
• Hunting Leads - Data Egress from Unusual Endpoints: Identifies data egress activity from non-standard endpoints potentially indicating malicious insider activity or unauthorized activity. This section analyzes data movement from servers, domain controllers, cloud instances (AWS, Azure, Google Cloud), and other non-desktop systems that typically should not be used for routine data transfers. By monitoring egress from these atypical endpoints, analysts can detect unauthorized data transfers from privileged systems, compromised server infrastructure, and cloud workloads being misused for data exfiltration. The section provides configurable endpoint type exclusions, enabling organizations to focus on the most relevant system types for their environment.
• Hunting Leads - Activity During Off Hours: Identifies data egress events and Falcon Data Protection detections occurring outside normal business hours that might indicate suspicious behaviors. This section analyzes both Falcon Data Protection detections and data egress events during off-hours periods based on configurable timezone and business hour parameters (default: 5 a.m.-10 p.m. CST), enabling organizations to define business hours aligned with their operational context. The section categorizes off-hours activity into three types: weekend activity, activity before business hours start, and activity after business hours end. This helps analysts identify temporal patterns that may indicate malicious intent or unauthorized after-hours data transfers requiring investigation.

Each section provides interactive summary tables displaying event counts, data volumes, user details, timestamps, destination information, and pivot capabilities to the User Activity Investigation dashboard for detailed analysis of flagged activity.

Introducing the User Activity Investigation Dashboard

The CrowdStrike Falcon Data Protection - User Activity Investigation dashboard complements the Insider Threat Analytics dashboard with detailed forensic analysis of user data egress activity. Designed for in-depth investigation workflows, this dashboard enables security analysts to conduct event-level analysis of flagged users and examine behavior patterns, data movement trends, and policy enforcement across web and USB egress channels. 

Analysts can pivot directly from the Insider Threat Analytics dashboard with user context automatically applied, or conduct standalone investigations of specific users exhibiting suspicious data egress activity. The dashboard is organized into three main sections for detailed investigation workflows, as presented below.

Falcon Data Protection Detection Analytics

This section is replicated across both dashboards to provide complete Falcon Data Protection context during investigations. When examining a specific user's activity in this dashboard, analysts can review both detection patterns (policy violations) and data egress events (broader data movement) without navigating between dashboards, ensuring all relevant Falcon Data Protection telemetry is accessible in a single view.

Data Egress Analytics - Web Destinations

This section provides in-depth analysis of web-based data egress activity through statistical breakdowns, destination mapping, trend analysis, and user-focused drill-down functionality. It enables analysts to understand data movement across web egress channels, policy actions, classifications, and content types, revealing web data egress destination patterns, what data is being transferred, and how Falcon Data Protection policies are responding. Analysts can drill down to investigate specific users and examine their detailed web egress activity.

Data Egress Analytics - USB Destinations

This provides the same in-depth analytical capabilities as the Web Destinations section but covers USB-based data egress activity. Through statistical breakdowns, device mapping, trend analysis, and user-focused drill-down functionality, analysts can understand data movement across USB egress channels, policy actions, classifications, and content types, which reveal USB device usage patterns, what data is being transferred to removable media, and how Falcon Data Protection policies are responding. Analysts can drill down to investigate specific users and examine their detailed USB egress activity.

Investigation Workflow Features

The dashboard provides interactive capabilities designed to streamline investigations and enable seamless navigation across the Falcon platform.

Interactive Filtering and Navigation: Dashboard parameters enable filtering by users, severity levels, policy actions, detection types, egress channels, sensitivity labels, and content patterns to focus analysis on relevant activity. Users can be selected from any table to apply as global filters across all dashboard sections, automatically narrowing all widgets to that user's activity. When pivoting to the User Activity Investigation dashboard, high-risk users are automatically applied as global filters to streamline the transition from risk identification to detailed analysis.

Platform Navigation: Interactive widgets provide direct links to the Falcon Data Protection Detections page for policy review, the Falcon Data Protection Events page for operational context, and Identity Protection user profiles for behavioral risk context. The Advanced Event Search link enables complex query-based investigation for analysts requiring custom analysis beyond dashboard capabilities.

Hunting Customization: Configurable parameters allow customization for hunting thresholds including rare destination counts, first-seen assessment periods, off-hours definitions, and endpoint type exclusions. This enables analysts to tune behavioral anomaly detection based on organizational context and investigation priorities.

Insider Threat Detection Mapping

The following table maps insider threat types to their primary detection signals, corresponding dashboard sections, and recommended response strategies:

Attack Scenarios

Organizations face diverse insider threat patterns ranging from accidental data exposure to sophisticated exfiltration campaigns. The following scenarios, emulated by the CrowdStrike team, demonstrate how the CrowdStrike Falcon - Insider Threat Analytics dashboard detects real-world insider threat techniques through multi-layered behavioral analytics and risk scoring. Each scenario includes the attack pattern, detection methodology, and specific dashboard capabilities that enable identification and investigation.

Scenario 1: Data Exfiltration to New Destinations

Attack Pattern

A malicious insider leverages their legitimate access to exfiltrate sensitive data to previously unseen web destinations — personal cloud storage, file-sharing services, or external platforms outside their normal activity patterns. This technique is particularly effective because the insider's access is authorized and data handling appears routine until the exfiltration destination is examined.

Attack Stages:

1. Baseline Establishment: The insider operates normally for weeks or months, establishing a behavioral baseline.
2. Target Selection: Sensitive files are identified and accessed through legitimate business processes.
3. New Destination Setup: Personal accounts are created on cloud platforms (Dropbox, Google Drive, personal email).
4. Exfiltration: Data is uploaded to the new destination, often during off-hours or in small increments to avoid volume-based detection.

Detection Methodology

The Hunting Leads - Data Egress First-seen Activity section detects this technique through timestamp-based baseline comparison that identifies when users egress data to new destinations or devices not seen in their historical activity. The following hunting query can be used to replicate this detection logic in Advanced Event Search for custom investigations or automated alerting:

// ===================================================================
// First-Seen Web Destination Detection Query
// Purpose: Identifies users accessing new web destinations not seen 
//          in their historical baseline activity
// ===================================================================

// Base Query - Web Data Egress Events
#repo="base_sensor" #event_simpleName="DataEgress"
| parseJson(DataEgressDestination, prefix=destination.)
| destination.channel[0]=0 // Filter to Web egress channel only

// Create timestamp-based flags for baseline comparison
| case {
    test(@timestamp > now() - duration(7d)) | _new_event := true;           // Event in assessment window (last 7 days)
    * | _baseline_event := true;      // Event in baseline window (older than 7 days)
}

// Extract destination domain from URL for analysis
| destination.web_destination[0].host_url[0]=/(https?:\/\/)?(?<_domain_name>[^\/]+)/

// Aggregate by user and destination domain
| groupBy([UserSid, _domain_name], limit=max, function=[
    count(field=_new_event, as=_new_event_count),
    count(field=_baseline_event, as=_baseline_event_count),
    collect([UserName, ComputerName, NormalizedPath, 
             destination.web_destination[0].web_location_name[0], 
             destination.web_destination[0].cloud_username[0], 
             destination.web_destination[0].host_url[0]])
])

// Filter to first-seen destinations (present in assessment, absent in baseline)
| _baseline_event_count=0 _new_event_count>0

// Format output for investigation
| rename(destination.web_destination[0].web_location_name[0], as=Destination)
| rename(destination.web_destination[0].cloud_username[0], as="Cloud UserName")
| rename(destination.web_destination[0].host_url[0], as=URL)
| table([UserName, ComputerName, Destination, "Cloud UserName", URL, NormalizedPath])

Scenario 2: Mass Data Collection and Bulk Export to Cloud Storage

Attack Pattern

A compromised user account is abused to conduct mass data collection followed by bulk export to a cloud storage service. The adversary uses the compromised credentials to search and download sensitive files from network shares, SharePoint, or corporate cloud storage to the local endpoint (staging), then uploads the aggregated data to an attacker-controlled cloud account.

Attack Stages

1. Account Compromise and Endpoint Access: The adversary gains user credentials and access to a workstation.
2. Data Collection and Staging: The adversary searches network shares, SharePoint sites, and other repositories, downloading sensitive files to the local endpoint (data staging).
3. Bulk Export: Large data volumes are uploaded from the staged endpoint to attacker-controlled cloud storage that mimics legitimate data egress processes (Google Drive, Dropbox, other).
4. Egress Volume Spike: The bulk upload creates an unusual spike in egress volume from the endpoint.

Detection Methodology

The CrowdStrike Falcon - Insider Threat Analytics dashboard detects this attack pattern through multiple correlated indicators:

• The Insider Risk Indicators section flags users exceeding 1% of company-wide egress volume.
• The Egress Data Volume over Time widget in the Falcon Data Protection Detection Analytics section visually displays the volume spike, revealing the sudden uptick characteristic of bulk export operations.
• The Hunting Leads - Rare Events section surfaces users accessing rare destination account domains. The attacker-controlled cloud account often has a domain not matching organizational email patterns, which then appears in hunting results.
• Elevated identity risk scores (due to compromised credentials) combined with data egress activity elevate the total risk score in case of a compromised account.

For analysts requiring customized detection parameters or scheduled monitoring, the following query replicates the volume anomaly and suspicious account detection logic:

// =====================================================================
// Users Responsible for >1% of Company-Wide Data Egress Volume
// Purpose: Identifies users performing bulk data exports that exceed
//          organizational volume thresholds, indicating potential mass
//          data collection and exfiltration operations
// =====================================================================

// Base query - All data egress events
#repo="base_sensor" #event_simpleName="DataEgress"

// Parse JSON objects for destination and data protection properties
| parseJson(DataEgressDestination, prefix=destination.)
| parseJson(DataProtectionProperties, prefix=properties.)

// Classify egress channel type
| case { 
    destination.channel[0]=0 | "Egress Channel" := "Web";
    destination.channel[0]=1 | "Egress Channel" := "USB";
    * | "Egress Channel" := "Other";
}

// Calculate volumes: company-wide total and per-user aggregation
| stats([
    // Compute total company-wide data egress volume for percentage calculation
    sum(Size, as=_total_egress_volume),
    
    // Aggregate by user with volume and contextual details
    groupBy(UserSid, limit=max, function=[
        sum(Size, as=_user_egress_volume),
        collect([UserName, "Egress Channel",
            properties.origin_web_locations[0].web_location_name[0], 
            properties.origin_web_locations[0].cloud_username[0], 
            destination.web_destination[0].web_location_name[0], 
            destination.web_destination[0].cloud_username[0]
        ])
    ])
])

// Calculate user's percentage of company-wide egress volume
| _user_percentage := (_user_egress_volume / _total_egress_volume) * 100

// Filter to volume anomalies (>1% threshold - adjust as needed)
| _user_percentage > 1

// Format output for investigation
| unit:convert(_user_egress_volume, from="B", to="GB")
| _user_percentage_display := format("%.2f%%", field=_user_percentage)
| rename(properties.origin_web_locations[0].web_location_name[0], as="Data Origin")
| rename(properties.origin_web_locations[0].cloud_username[0], as="Origin Cloud UserName")
| rename(destination.web_destination[0].web_location_name[0], as="Egress Destination")
| rename(destination.web_destination[0].cloud_username[0], as="Destination Cloud UserName")
| rename(_user_egress_volume, as="Volume (GB)")
| rename(_user_percentage_display, as="% of Company Total")
| table([UserName, "Volume (GB)", "% of Company Total", "Egress Channel", 
        "Data Origin", "Origin Cloud UserName", "Egress Destination", 
        "Destination Cloud UserName"], 
       sortby=_user_percentage, order=desc)

Conclusion

Insider threats and risks represent a significant challenge for modern organizations, requiring sophisticated detection capabilities that go beyond traditional security controls. By combining multi-source risk scoring, behavioral anomaly detection, and data egress visibility, companies can dramatically reduce the likelihood and impact of insider incidents.

The CrowdStrike Falcon - Insider Threat Analytics and CrowdStrike Falcon Data Protection - User Activity Investigation dashboards provide an integrated insider threat detection and investigation workflow. The Insider Threat Analytics dashboard identifies high-risk users through automated scoring and behavioral hunting, while the User Activity Investigation dashboard enables detailed forensic analysis of flagged activity. This architecture streamlines the progression from risk identification to analysis and incident response.

By implementing these dashboards, security teams gain proactive detection of insider threats, enhanced monitoring for departing employees and high-risk users, and adaptable behavioral anomaly detection tuned to organizational context — protecting sensitive data and operations before insider incidents result in significant organizational harm.

Additional Resources

• Learn more about insider threats within this article: Insider Threats Explained.
• Read more about new Falcon Data Protection capabilities in CrowdStrike Strengthens Data Security Across Endpoint, Cloud, and SaaS Applications.
• Dive in and try out Falcon Data Protection in this self-paced interactive demo.