Exposing Insider Threats Through Data Protection, Identity, and HR Context BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial February 18, 2026 Radu-Emanuel Chiscariu - Emilian Duca Next-Gen SIEM & Log Management • Insider threats pose a growing risk to organizations.
Whether insiders take malicious actions, exhibit negligent behavior, or make accidental errors, they have the potential to cause significant harm to an organization’s assets, sensitive data, and reputation. Insiders can pose a variety of risks, from stealing confidential data and intellectual property to disrupting systems. Understanding user behavior patterns, correlating activity across multiple data sources, and detecting behavioral anomalies early are critical to identifying both malicious insiders and negligent users before they cause significant harm.
CrowdStrike Falcon® Data Protection and CrowdStrike Falcon® Next-Gen Identity Security, combined with CrowdStrike Falcon® Next-Gen SIEM, enable customers to quickly detect and respond to insider threats. Through the new Insider Threat Analytics User Activity Investigation dashboards, both in Falcon Next-Gen SIEM, organizations can leverage user behavior analytics, data access patterns, risk indicator scoring, and policy violation alerts to identify and investigate insider risks.
In this blog, we detail the dashboard features that can detect insider threats and how customers can leverage this tool for proactive defense. We also share example attack scenarios to show how CrowdStrike Falcon detects insider threat techniques and outline how these dashboards support a complete insider threat program. Building an Insider Threat Detection Program with CrowdStrike Falcon Effective insider threat detection requires a robust strategy that combines behavioral analytics, multi-source correlation, policy enforcement, and streamlined investigation workflows.
The CrowdStrike Falcon - Insider Threat Analytics and CrowdStrike Falcon Data Protection - User Activity Investigation dashboards implement the following capabilities to support a complete insider threat program: 1. Multi-Layer Detection Architecture The dashboards correlate telemetry across multiple security layers to detect insider threat indicators at every stage of an attack: Identity Protection Layer : Monitor authentication anomalies, privilege escalations, and indicators of credential compromise through identity risk scores.
Data Protection Layer : Track data egress patterns including large transfers, unusual destinations, off-hours activity, and policy violations through Falcon Data Protection detections and DataEgress events. Endpoint Layer : Detect data movement from non-standard endpoints including servers, domain controllers, and cloud instances through the Unusual Endpoints hunting section. HR Context Layer : Enhance monitoring for new and departing employees.
Cross-Layer Event Correlation : Link activities across all layers to detect insider attacks in their early stages: Combine Falcon Data Protection detections and data egress events with source user identity risk score and HR employment status. Identify risk indicators based on behaviors and activity logs from the above sources, with thresholds and scoring that can be customized to organization policies and baselines. 2.
Advanced Behavioral Analytics and Hunting Leads The dashboards establish baselines for user behavior and monitor deviations to identify insider threats. Statistical Baseline Establishment : Create behavioral baselines using configurable historical periods (7-30+ days). First-Seen Analysis : Detect new “source user - data egress destination” combinations and device usage patterns to identify insiders engaging in novel activities that deviate from established patterns, which can indicate policy violations or unauthorized activity.
The dashboards surface: New Destinations: Compare first-time web upload destinations to individual user baselines. USB Device Monitoring: Track new removable storage device usage with baseline comparison. Destination Account Analysis: Extract and monitor destination account domains to identify suspicious ones. Rare Event Detection : Identify statistically anomalous destinations and activities based on organizational frequency patterns.
Temporal Anomaly Detection : Identify suspicious activity during off-hours, including weekends. Unusual Endpoint for Data Egress : Monitor data egress from non-desktop systems (servers, domain controllers, cloud instances). 3. Risk-Based Prioritization A risk-based prioritization framework enables the organization to prioritize responses based on the severity and likelihood of a threat. The dashboards accelerate investigation workflows through automated risk scoring and user ranking: Dynamic Risk Scoring : Combine identity, behavioral, HR status, and data egress indicators to calculate per-user risk scores.
High-Risk User Identification : Surface users with elevated risk scores for immediate investigation. Configurable Thresholds : Adjust minimum indicator counts and select which indicators to include based on organizational priorities. 4. Policy and Compliance Framework Data protection policies ensure adherence to regulations and security best practices. The dashboards provide visibility into policy effectiveness and coverage: Falcon Data Protection Policy Enforcement Visibility : Track Falcon Data Protection policy actions (Monitored, Blocked, Allowed, Simulated) across all egress channels.
Coverage Assessment : Monitor protected vs. unprotected data egress to identify policy gaps. Detection Analytics : Analyze detections by severity, type, content patterns, and sensitivity labels. 5. Investigation and Response Capabilities When a potential insider threat is detected, the dashboards accelerate investigation through interactive workflows and cross-platform integration: Timeline Analysis : Reconstruct attack chains to understand the full scope of the threat via event timelines for selected users.
User Context : Integrate identity risk scores, HR employment status, and user attributes to enrich investigations. Interactive Filtering : Enable filtering across multiple dimensions (severity, channel, policy, content type). Advanced Event Search : Get direct links for in-depth event investigation. Introducing the Insider Threat Analytics Dashboard Design, Capabilities, and Requirements “CrowdStrike Falcon - Insider Threat Analytics” dashboard features six specialized analytical sections designed to aid in risk assessment and investigation.
Available to organizations with Falcon Data Protection and Falcon Next-Gen Identity Security, the dashboard combines automated risk indicator scoring with behavioral hunting capabilities to identify high-risk users and suspicious activity patterns requiring further investigation. The dashboard implements a progressive investigation workflow that guides analysts from risk identification to behavioral hunting: Insider Risk Indicators surface high-risk users through automated scoring Falcon Data Protection Detection Analytics provide detection pattern analysis and user selection Hunting Leads sections (four sections) target specific behavioral anomalies: rare destinations, first-seen activities, unusual endpoints, and off-hours activity This architecture enables filter-and-focus investigation: Analysts select high-risk users in top sections, applying them as global filters to narrow analysis across all remaining sections.
Interactive widgets support both dashboard-internal refinement and cross-dashboard pivoting to the companion User Activity Investigation dashboard for in-depth analysis of data egress events. The design separates risk-based hunting (this dashboard) from detailed event investigation (companion dashboard), optimizing both workflow efficiency and system performance by distributing query load across two focused views.
The dashboard's risk scoring methodology synthesizes telemetry from critical sources including data movement (Falcon Data Protection), identity behavior (Falcon Next-Gen Identity Security), and employee lifecycle (Workday) to detect insider threats that single-source monitoring would miss. This correlation transforms isolated security signals into contextualized risk intelligence: Falcon Data Protection detections reveal what data moved and where, Falcon Next-Gen Identity Security provides behavioral risk context, and Workday identifies high-risk employment status.
The result is multi-dimensional risk scoring where, for example, a user egressing confidential data to a rare destination while exhibiting high identity risk scores receives compounded risk points that elevate them above users triggering individual indicators. This enables analysts to prioritize investigations based on holistic threat profiles rather than individual alerts. Risk scoring is enhanced through an integration with Workday HR data to identify departing employees.
The Insider Risk - Workday Leavers application in CrowdStrike Falcon® Foundry automatically syncs employee termination data and enables two high-value risk indicators that substantially increase risk scores when departing employees exhibit suspicious data egress behaviors. While optional, this integration is strongly recommended as departing employees represent one of the highest-priority insider threat scenarios.
A supplementary requirement for maximizing this dashboard’s capabilities is ensuring Content Inspection is properly enabled across Falcon Data Protection policies. This helps ensure visibility into sensitive data movement across your environment. Content Inspection enables the dashboard to surface sensitivity labels and content patterns in Falcon Data Protection detections, powering a specific set of risk indicators that elevate risk scores when confidential data egress activities are detected.
Also, by analyzing these patterns through the dashboard's Detection Analytics section, security teams can quantify which users are handling sensitive data and prioritize investigations based on the sensitivity context. Next, we’ll take a closer look at individual sections of the Insider Threat Analytics dashboard. This section identifies and ranks users with the highest insider risk based on a set of predefined risk indicators that compound into a total risk score.
The indicators combine Falcon Data Protection and Falcon Next-Gen Identity Security telemetry and Workday employment status to calculate total risk scores (1-100 points per user). The risk scoring methodology combines 25 indicators including specific security events (Falcon Data Protection detections, sensitive data handling, rare destinations) and behavioral/contextual patterns (employment status, identity risk, data egress volume anomalies).
Analysts can customize risk calculations through configurable parameters — selecting which indicators to include, filtering by employee status, and setting minimum indicator count thresholds — allowing security teams to tune risk scoring based on their environment and investigation priorities. Note: All dashboard screenshots show a test instance. Figure 1. Dashboard section outlining insider risk indicators Users are ranked by insider risk score in descending order to help analysts prioritize investigations, with the highest-risk accounts displayed first for immediate attention.
Figure 2. Dashboard section outlining user risk scores with supplementary details Falcon Data Protection Detection Analytics This section provides in-depth analysis of Falcon Data Protection detections through statistical breakdowns, trend analysis, and user-focused drill-down functionality. Analysts can explore detection patterns across multiple dimensions including severity levels (Critical, High, Medium, Low), detection types (anomaly-based vs. rule-based), response actions (Blocked, Allowed, Monitored, Simulated), egress channels (Web, USB), sensitivity labels, and content patterns.
The section features visualizations including Detection Count and Data Volume over Time for trend analysis, Detection Severity to Response Action mapping (sankey diagram) revealing policy enforcement patterns, and Detection Count by Sensitivity Labels and Content Patterns for understanding what types of sensitive data are triggering detections. The Detection Summary by User table enables drill-down investigation, displaying each user's detection counts, highest severity levels, data volumes, and file types — with direct links to the Falcon Data Protection Detections page and Falcon Next-Gen Identity Security profiles, and the ability to pivot to the companion User Activity Investigation dashboard.
This multi-dimensional analysis enables security teams to detect insider threats and prioritize investigations based on detection patterns and user behavior, while identifying policy gaps and tuning detection rules to improve Falcon Data Protection policy effectiveness. Figure 3. Dashboard section surfacing Falcon Data Protection detection analytic information Hunting Leads - Data Egress Rare Events This section identifies users engaging in data egress to uncommon destinations that may indicate unauthorized data transfer or policy violations.
It analyzes rare web destinations and destination account domains based on organizational frequency patterns, identifies the least frequently accessed destinations company-wide, and surfaces users who access these statistical outliers. By default, the section identifies the top 10 rarest web destinations and top 5 rarest destination account domains (extracted from cloud username fields), with configurable thresholds allowing analysts to adjust sensitivity.
Interactive widgets display user distribution across rare destinations through pie charts, with detailed summary tables providing event counts, data volumes, destinations, and timestamps for investigation. Analysts can select users to apply as global filters, or pivot to the User Activity Investigation dashboard for detailed forensic analysis of flagged user activity. This frequency-based analysis enables detection of uncommon data egress destinations, use of unauthorized personal accounts, or access to suspicious destinations that fall outside normal organizational data movement patterns.
Figure 4. Dashboard section outlining hunting leads for rare data egress events Additional Hunting Capabilities The dashboard includes three additional hunting lead sections targeting specific behavioral anomalies: Hunting Leads - Data Egress First-seen Activity : Identifies users exhibiting new data egress behaviors that deviate from their established patterns, potentially indicating policy violations or unauthorized activity.
This section analyzes first-seen web destinations, destination account domains (extracted from cloud usernames), and USB storage devices based on individual users’ historical activity. It compares recent activity within a configurable assessment window (default: 7 days) against historical baselines to detect behavioral changes. Analysts can configure domain exclusions for known legitimate services and adjust the assessment period to balance detection sensitivity with investigation volume, enabling identification of users suddenly accessing new cloud services, connecting unfamiliar storage devices, or egressing data to previously unseen external accounts.
Hunting Leads - Data Egress from Unusual Endpoints : Identifies data egress activity from non-standard endpoints potentially indicating malicious insider activity or unauthorized activity. This section analyzes data movement from servers, domain controllers, cloud instances (AWS, Azure, Google Cloud), and other non-desktop systems that typically should not be used for routine data transfers. By monitoring egress from these atypical endpoints, analysts can detect unauthorized data transfers from privileged systems, compromised server infrastructure, and cloud workloads being misused for data exfiltration.
The section provides configurable endpoint type exclusions, enabling organizations to focus on the most relevant system types for their environment. Hunting Leads - Activity During Off Hours : Identifies data egress events and Falcon Data Protection detections occurring outside normal business hours that might indicate suspicious behaviors. This section analyzes both Falcon Data Protection detections and data egress events during off-hours periods based on configurable timezone and business hour parameters (default: 5 a.m.-10 p.m.
CST), enabling organizations to define business hours aligned with their operational context. The section categorizes off-hours activity into three types: weekend activity, activity before business hours start, and activity after business hours end. This helps analysts identify temporal patterns that may indicate malicious intent or unauthorized after-hours data transfers requiring investigation. Each section provides interactive summary tables displaying event counts, data volumes, user details, timestamps, destination information, and pivot capabilities to the User Activity Investigation dashboard for detailed analysis of flagged activity.
Introducing the User Activity Investigation Dashboard CrowdStrike Falcon Data Protection - User Activity Investigation dashboard complements the Insider Threat Analytics dashboard with detailed forensic analysis of user data egress activity. Designed for in-depth investigation workflows, this dashboard enables security analysts to conduct event-level analysis of flagged users and examine behavior patterns, data movement trends, and policy enforcement across web and USB egress channels.
Analysts can pivot directly from the Insider Threat Analytics dashboard with user context automatically applied, or conduct standalone investigations of specific users exhibiting suspicious data egress activity. The dashboard is organized into three main sections for detailed investigation workflows, as presented below. This section is replicated across both dashboards to provide complete Falcon Data Protection context during investigations.
When examining a specific user's activity in this dashboard, analysts can review both detection patterns (policy violations) and data egress events (broader data movement) without navigating between dashboards, ensuring all relevant Falcon Data Protection telemetry is accessible in a single view. Data Egress Analytics - Web Destinations This section provides in-depth analysis of web-based data egress activity through statistical breakdowns, destination mapping, trend analysis, and user-focused drill-down functionality.
It enables analysts to understand data movement across web egress channels, policy actions, classifications, and content types, revealing web data egress destination patterns, what data is being transferred, and how Falcon Data Protection policies are responding. Analysts can drill down to investigate specific users and examine their detailed web egress activity. Figure 5. Dashboard section showcasing data egress analytics for web traffic Data Egress Analytics - USB Destinations This provides the same in-depth analytical capabilities as the Web Destinations section but covers USB-based data egress activity.
Through statistical breakdowns, device mapping, trend analysis, and user-focused drill-down functionality, analysts can understand data movement across USB egress channels, policy actions, classifications, and content types, which reveal USB device usage patterns, what data is being transferred to removable media, and how Falcon Data Protection policies are responding. Analysts can drill down to investigate specific users and examine their detailed USB egress activity.
Figure 6. Dashboard section showcasing data egress analytics for USB devices Investigation Workflow Features The dashboard provides interactive capabilities designed to streamline investigations and enable seamless navigation across the Falcon platform. Interactive Filtering and Navigation : Dashboard parameters enable filtering by users, severity levels, policy actions, detection types, egress channels, sensitivity labels, and content patterns to focus analysis on relevant activity.
Users can be selected from any table to apply as global filters across all dashboard sections, automatically narrowing all widgets to that user's activity. When pivoting to the User Activity Investigation dashboard, high-risk users are automatically applied as global filters to streamline the transition from risk identification to detailed analysis. Figure 7. Dashboard feature to filter and down-select detections on a given user Platform Navigation : Interactive widgets provide direct links to the Falcon Data Protection Detections page for policy review, the Falcon Data Protection Events page for operational context, and Identity Protection user profiles for behavioral risk context.
The Advanced Event Search link enables complex query-based investigation for analysts requiring custom analysis beyond dashboard capabilities. Hunting Customization : Configurable parameters allow customization for hunting thresholds including rare destination counts, first-seen assessment periods, off-hours definitions, and endpoint type exclusions. This enables analysts to tune behavioral anomaly detection based on organizational context and investigation priorities.
Insider Threat Detection Mapping The following table maps insider threat types to their primary detection signals, corresponding dashboard sections, and recommended response strategies: Table 1. Dashboard sections mapping to specific threat types Threat Type Primary Detection Signals Dashboard Sections Detection & Response Strategy Negligent User Policy violations Confidential data handling Personal web destination Monitor policy violations and sensitivity label triggers; implement user training on data handling; review and tune Falcon Data Protection policies based on detection patterns Compromised Account Unusual destinations First-seen behavior Off-hours activities Elevated identity risk Hunting Leads - Rare Events Hunting Leads - First-seen Activity Hunting Leads - Off Hours Correlate Falcon Data Protection activity with identity risk scores; investigate sudden behavioral changes; monitor authentication anomalies Malicious Insider Rare destinations Unusual endpoints USB transfers Encrypted archives Volume-based anomalies Hunting Leads - Unusual Endpoints Data Egress Analytics - Web & USB Destinations Enhance monitoring; detect exfiltration to uncommon destinations; monitor privileged system access; investigate USB activity Attack Scenarios Organizations face diverse insider threat patterns ranging from accidental data exposure to sophisticated exfiltration campaigns.
The following scenarios, emulated by the CrowdStrike team, demonstrate how the CrowdStrike Falcon - Insider Threat Analytics dashboard detects real-world insider threat techniques through multi-layered behavioral analytics and risk scoring. Each scenario includes the attack pattern, detection methodology, and specific dashboard capabilities that enable identification and investigation. Scenario 1: Data Exfiltration to New Destinations Attack Pattern A malicious insider leverages their legitimate access to exfiltrate sensitive data to previously unseen web destinations — personal cloud storage, file-sharing services, or external platforms outside their normal activity patterns.
This technique is particularly effective because the insider's access is authorized and data handling appears routine until the exfiltration destination is examined. Attack Stages: Baseline Establishment : The insider operates normally for weeks or months, establishing a behavioral baseline. Target Selection : Sensitive files are identified and accessed through legitimate business processes. New Destination Setup : Personal accounts are created on cloud platforms (Dropbox, Google Drive, personal email).
Exfiltration : Data is uploaded to the new destination, often during off-hours or in small increments to avoid volume-based detection. Detection Methodology Hunting Leads - Data Egress First-seen Activity section detects this technique through timestamp-based baseline comparison that identifies when users egress data to new destinations or devices not seen in their historical activity. The following hunting query can be used to replicate this detection logic in Advanced Event Search for custom investigations or automated alerting: // =================================================================== // First-Seen Web Destination Detection Query // Purpose: Identifies users accessing new web destinations not seen in their historical baseline activity // Base Query - Web Data Egress Events #repo="base_sensor" #event_simpleName="DataEgress" | parseJson(DataEgressDestination, prefix=destination.) | destination.channel[0]=0 // Filter to Web egress channel only // Create timestamp-based flags for baseline comparison | case { test(@timestamp > now() - duration(7d)) | _new_event := true; // Event in assessment window (last 7 days) * | _baseline_event := true; // Event in baseline window (older than 7 days) // Extract destination domain from URL for analysis | destination.web_destination[0].host_url[0]=/(https?:\/\/)?(?<_domain_name>[^\/]+)/ // Aggregate by user and destination domain | groupBy([UserSid, _domain_name], limit=max, function=[ count(field=_new_event, as=_new_event_count), count(field=_baseline_event, as=_baseline_event_count), collect([UserName, ComputerName, NormalizedPath, destination.web_destination[0].web_location_name[0], destination.web_destination[0].cloud_username[0], destination.web_destination[0].host_url[0]]) // Filter to first-seen destinations (present in assessment, absent in baseline) | _baseline_event_count=0 _new_event_count>0 // Format output for investigation | rename(destination.web_destination[0].web_location_name[0], as=Destination) | rename(destination.web_destination[0].cloud_username[0], as="Cloud UserName") | rename(destination.web_destination[0].host_url[0], as=URL) | table([UserName, ComputerName, Destination, "Cloud UserName", URL, NormalizedPath]) Figure 8.
First-seen Web Destination for User - Hunting Query results Scenario 2: Mass Data Collection and Bulk Export to Cloud Storage A compromised user account is abused to conduct mass data collection followed by bulk export to a cloud storage service. The adversary uses the compromised credentials to search and download sensitive files from network shares, SharePoint, or corporate cloud storage to the local endpoint (staging), then uploads the aggregated data to an attacker-controlled cloud account.
Attack Stages Account Compromise and Endpoint Access : The adversary gains user credentials and access to a workstation. Data Collection and Staging : The adversary searches network shares, SharePoint sites, and other repositories, downloading sensitive files to the local endpoint (data staging). Bulk Export : Large data volumes are uploaded from the staged endpoint to attacker-controlled cloud storage that mimics legitimate data egress processes (Google Drive, Dropbox, other).
Egress Volume Spike : The bulk upload creates an unusual spike in egress volume from the endpoint. CrowdStrike Falcon - Insider Threat Analytics dashboard detects this attack pattern through multiple correlated indicators: The Insider Risk Indicators section flags users exceeding 1% of company-wide egress volume. The Egress Data Volume over Time widget in the Falcon Data Protection Detection Analytics section visually displays the volume spike, revealing the sudden uptick characteristic of bulk export operations.
The Hunting Leads - Rare Events section surfaces users accessing rare destination account domains. The attacker-controlled cloud account often has a domain not matching organizational email patterns, which then appears in hunting results. Elevated identity risk scores (due to compromised credentials) combined with data egress activity elevate the total risk score in case of a compromised account. For analysts requiring customized detection parameters or scheduled monitoring, the following query replicates the volume anomaly and suspicious account detection logic: // ===================================================================== // Users Responsible for >1% of Company-Wide Data Egress Volume // Purpose: Identifies users performing bulk data exports that exceed organizational volume thresholds, indicating potential mass data collection and exfiltration operations // Base query - All data egress events // Parse JSON objects for destination and data protection properties | parseJson(DataProtectionProperties, prefix=properties.) // Classify egress channel type destination.channel[0]=0 | "Egress Channel" := "Web"; destination.channel[0]=1 | "Egress Channel" := "USB"; * | "Egress Channel" := "Other"; // Calculate volumes: company-wide total and per-user aggregation | stats([ // Compute total company-wide data egress volume for percentage calculation sum(Size, as=_total_egress_volume), // Aggregate by user with volume and contextual details groupBy(UserSid, limit=max, function=[ sum(Size, as=_user_egress_volume), collect([UserName, "Egress Channel", properties.origin_web_locations[0].web_location_name[0], properties.origin_web_locations[0].cloud_username[0], destination.web_destination[0].cloud_username[0] // Calculate user's percentage of company-wide egress volume | _user_percentage := (_user_egress_volume / _total_egress_volume) * 100 // Filter to volume anomalies (>1% threshold - adjust as needed) | _user_percentage > 1 | unit:convert(_user_egress_volume, from="B", to="GB") | _user_percentage_display := format("%.2f%%", field=_user_percentage) | rename(properties.origin_web_locations[0].web_location_name[0], as="Data Origin") | rename(properties.origin_web_locations[0].cloud_username[0], as="Origin Cloud UserName") | rename(destination.web_destination[0].web_location_name[0], as="Egress Destination") | rename(destination.web_destination[0].cloud_username[0], as="Destination Cloud UserName") | rename(_user_egress_volume, as="Volume (GB)") | rename(_user_percentage_display, as="% of Company Total") | table([UserName, "Volume (GB)", "% of Company Total", "Egress Channel", "Data Origin", "Origin Cloud UserName", "Egress Destination", "Destination Cloud UserName"], sortby=_user_percentage, order=desc) Figure 9.
Identifies users performing bulk data exports that exceed organizational volume thresholds Conclusion Insider threats and risks represent a significant challenge for modern organizations, requiring sophisticated detection capabilities that go beyond traditional security controls. By combining multi-source risk scoring, behavioral anomaly detection, and data egress visibility, companies can dramatically reduce the likelihood and impact of insider incidents. dashboards provide an integrated insider threat detection and investigation workflow.
The Insider Threat Analytics dashboard identifies high-risk users through automated scoring and behavioral hunting, while the User Activity Investigation dashboard enables detailed forensic analysis of flagged activity. This architecture streamlines the progression from risk identification to analysis and incident response. By implementing these dashboards, security teams gain proactive detection of insider threats, enhanced monitoring for departing employees and high-risk users, and adaptable behavioral anomaly detection tuned to organizational context — protecting sensitive data and operations before insider incidents result in significant organizational harm.
Additional Resources Learn more about insider threats within this article: Insider Threats Explained . Read more about new Falcon Data Protection capabilities in CrowdStrike Strengthens Data Security Across Endpoint, Cloud, and SaaS Applications . Dive in and try out Falcon Data Protection in this self-paced interactive demo . Related Content Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo Privacy Request Info Contact Us 1.888.512.8906 Accessibility