Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.

Signals

•DLP alerts or anomalous data access patterns attributed to a specific user account
•HR or management has flagged a specific individual based on behavioral concerns
•The suspected account continues to log in and operate normally while the investigation is underway

Pivot Actions

1.Implement silent monitoring: increase logging verbosity on the suspect account without visible changes to their environment
2.Deploy covert EDR collection policies targeting the suspect workstation for enhanced telemetry
3.Coordinate with HR and legal to establish a formal insider-threat investigation protocol before taking visible action
4.Shadow the suspect email with a journaling rule or eDiscovery hold that does not send notifications
5.Prepare a containment plan that can be executed rapidly once legal and HR authorize overt action (simultaneous account disable, badge deactivation, device confiscation)

Alternate Evidence Sources

•DLP and CASB logs showing file access, downloads, and sharing activity for the suspect account
•Badge/physical access logs correlating the suspect presence with data-access events
•Email journaling or M365 eDiscovery content searches capturing communications

Related Procedures

Credential and Account Lockdown

contain

M365 Unified Audit Log Collection

collect

Validate the Initial Access Vector

triage