performing-insider-threat-investigation
Installation
SKILL.md
Performing Insider Threat Investigation
When to Use
- DLP (Data Loss Prevention) alerts on large data transfers to personal cloud storage or USB devices
- User behavior analytics (UBA) detects anomalous access patterns for a user account
- HR reports a departing employee suspected of taking proprietary information
- A privileged user is observed accessing systems outside their job function
- Whistleblower or coworker report alleges policy violations or data theft
Do not use for external attacker investigations where compromised credentials are used without insider collusion; use standard incident response procedures instead.