Establish 90-Day Behavioral Baseline for Subject
Establish what "normal" looks like for the subject over the prior 90 days so you can later identify deviations with confidence. This is not an accusatory data pull; it is a baseline that protects both the organization (evidence of deviation) and the subject (evidence of non-deviation if exonerating).
Actions
- 1
Pull aggregate activity volumes (files accessed per day, emails sent, login count, SaaS apps used, VPN sessions) for the subject over 90 days; compare to role-peer baselines where possible.
- 2
Pull behavioral signals only at aggregate level first -- access counts, unusual-hour counts, off-network counts -- before drilling into individual events.
- 3
Identify typical working hours, typical devices, typical applications, typical geography, typical peers/collaborators.
- 4
Record the baseline with clear provenance (data sources, time window, analyst) so later comparisons are defensible.
- 5
Identify baseline gaps: what data sources are not retained 90 days back, and what that limits the baseline to.
Queries
AuditLogs | where TimeGenerated > ago(90d) | where InitiatedBy has "<subject>" | summarize count() by bin(TimeGenerated, 1d), OperationName | order by TimeGenerated asc
SigninLogs | where TimeGenerated > ago(90d) | where UserPrincipalName =~ "<subject>" | summarize count() by bin(TimeGenerated, 1h), IPAddress, Country, ClientAppUsed
DeviceFileEvents | where Timestamp > ago(90d) | where InitiatingProcessAccountName =~ "<subject>" | summarize count() by bin(Timestamp, 1d), ActionType
Notes
Aggregate baselines are less privacy-invasive than event-level pulls and should be the first step. Event-level detail is appropriate only after the baseline identifies deviation.
Baseline against role-peer averages where possible. "User X downloaded 500 files today" is meaningful only in the context of their own baseline and their role-peers.