Analytics Story: Insider Threat
Description
Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.
Why it matters
Insider Threats are best defined by CISA: "Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs." An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| G Suite Drive | Other | gsuite:drive:json |
http:gsuite |
| Windows Event Log Security 4648 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log Security 4625 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Palo Alto Network Threat |  Network |
pan:threat |
not_applicable |
| Sysmon EventID 18 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 17 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Linux Secure |  Linux |
linux_secure |
/var/log/secure |
| Sysmon EventID 13 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| G Suite Gmail | Other | gsuite:gmail:bigquery |
http:gsuite |
| Palo Alto Network Traffic | Network |
pan:traffic |
not_applicable |
| Windows Event Log Security 5145 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://www.imperva.com/learn/application-security/insider-threats/
- https://github.com/Insider-Threat/Insider-Threat
- https://www.code42.com/glossary/types-of-insider-threats/
- https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/
- https://www.cisa.gov/defining-insider-threats
Source: GitHub | Version: 2