The Departing Engineer

3-4 hours Modules: M16, M2, M11, M6

Incident Brief

Investigation ID: IT-2026-04-002 Date: Wednesday, 09 April 2026 Trigger: HR referral + UEBA anomaly Classification: Insider threat — covert investigation Assigned to: You

HR contacts the security team: Marcus Chen, Senior Design Engineer, submitted his resignation yesterday. He is joining Meridian Precision — a direct competitor. His last day is 25 April. Marcus has access to the product development SharePoint site, the engineering team’s shared mailbox, and 3 years of design documents.

This morning, UEBA flagged Marcus’s account with an investigation priority score of 7 (baseline: 2). The anomaly types: “Unusual volume of file downloads” and “First-time access to archived SharePoint site.”

Legal authorisation: Legal counsel has confirmed the investigation is authorised under the acceptable use policy. Scope: M365 activity logs and endpoint telemetry for the last 30 days. The investigation must be covert — Marcus must not know he is being investigated.

Marcus Chen’s profile:

Attribute	Value
UPN	m.chen@northgateeng.com
Department	Engineering — Product Design
Device	LAPTOP-NGE027
Manager	D. Thompson
Start date	March 2021
Resignation date	8 April 2026
Last day	25 April 2026
New employer	Meridian Precision (competitor)

Your Investigation

This is a covert investigation. Every action must be invisible to Marcus. No account changes, no direct questioning, no workspace inspection. Document everything — your findings may be reviewed by employment lawyers.

Phase 1: Establish Baseline

Question 1. What is Marcus’s normal file download volume? Establish the 6-month baseline before investigating the anomaly.

1
2
3
4
5
6
7
// Starting query: Marcus's file activity baseline (6 months before resignation)
CloudAppEvents
| where TimeGenerated between(ago(210d) .. ago(30d))
| where AccountDisplayName == "Marcus Chen"
| where ActionType in ("FileDownloaded", "FileCopied", "FileUploaded")
| summarize DailyCount = count() by bin(TimeGenerated, 1d), ActionType
| summarize AvgDaily = avg(DailyCount), MaxDaily = max(DailyCount) by ActionType

Question 2. What SharePoint sites does Marcus normally access? Build the baseline site list.

Phase 2: Investigate the Anomaly

Question 3. What is Marcus’s file download volume in the last 30 days? Compare to the baseline. Is there a step change, and if so, when did it start? Does it correlate with the resignation date?

1
2
3
4
5
6
7
// Starting query: recent activity compared to baseline
CloudAppEvents
| where TimeGenerated > ago(30d)
| where AccountDisplayName == "Marcus Chen"
| where ActionType in ("FileDownloaded", "FileCopied")
| summarize DailyCount = count() by bin(TimeGenerated, 1d)
| order by TimeGenerated asc

Question 4. What specific files has Marcus downloaded in the last 14 days? Are they within his normal project scope, or has he accessed new sites?

1
2
3
4
5
6
7
8
9
// Starting query: specific files downloaded
CloudAppEvents
| where TimeGenerated > ago(14d)
| where AccountDisplayName == "Marcus Chen"
| where ActionType in ("FileDownloaded", "FileCopied")
| extend FileName = tostring(parse_json(RawEventData).SourceFileName)
| extend SiteUrl = tostring(parse_json(RawEventData).SiteUrl)
| project TimeGenerated, ActionType, FileName, SiteUrl
| order by TimeGenerated desc

Question 5. The UEBA flagged “First-time access to archived SharePoint site.” Which archived site did Marcus access? When? What did he download from it?

Phase 3: Exfiltration Channel Assessment

Question 6. Check all five exfiltration channels. For each, determine: was it used? What volume? What timing?

Channel A — Personal cloud storage:

1
2
3
4
5
6
7
DeviceNetworkEvents
| where TimeGenerated > ago(30d)
| where DeviceName == "LAPTOP-NGE027"
| where RemoteUrl has_any ("dropbox.com", "drive.google.com", "icloud.com",
    "mega.nz", "wetransfer.com", "onedrive.live.com")
| project TimeGenerated, RemoteUrl, InitiatingProcessFileName
| order by TimeGenerated desc

Channel B — USB:

1
2
3
4
5
DeviceEvents
| where TimeGenerated > ago(30d)
| where DeviceName == "LAPTOP-NGE027"
| where ActionType in ("UsbDriveMounted", "RemovableStoragePolicyTriggered")
| project TimeGenerated, ActionType, AdditionalFields

Channel C — Personal email:

1
2
3
4
5
6
7
8
EmailEvents
| where TimeGenerated > ago(30d)
| where SenderFromAddress == "m.chen@northgateeng.com"
| where RecipientEmailAddress !endswith "@northgateeng.com"
| join kind=inner (
    EmailAttachmentInfo | where FileSize > 10240
) on NetworkMessageId
| project TimeGenerated, RecipientEmailAddress, Subject, FileName, FileSize

Channel D — Print:

1
2
3
4
5
DeviceEvents
| where TimeGenerated > ago(30d)
| where DeviceName == "LAPTOP-NGE027"
| where ActionType == "PrintJobCreated"
| project TimeGenerated, AdditionalFields

Channel E — Screen capture / manual copy: (Low detectability — assess indirectly via timing patterns and file access without corresponding download events.)

Question 7. Build the combined exfiltration timeline: all channels, chronological order. What story does the timeline tell?

Phase 4: Evidence and Handover

Question 8. What evidence preservation actions should you take RIGHT NOW — before HR makes any decisions?

Question 9. Draft the factual findings summary for the HR handover meeting. Remember: facts only. No conclusions about intent. No recommendations for punishment. What did Marcus do, when, and via which channels?

Question 10. HR asks: “Should we revoke his access immediately or let him work out his notice period?” What are the security considerations for each option? What do you recommend and why?

Question 11. If HR decides to revoke access during a meeting with Marcus: write the exact sequence of technical actions you execute, and at what moment relative to the HR meeting.

Solution

Click to reveal the full solution walkthrough

Solution walkthrough

Q1: Baseline. Marcus’s normal file download volume is 8-12 files per day, primarily from the Active Projects SharePoint site and Engineering Shared Documents. His maximum single-day download in the baseline period was 23 files (during a project deadline).

Q2: Normal sites. Marcus regularly accesses 4 SharePoint sites: Active Projects, Engineering Shared Docs, Engineering Team Site, and the company intranet. He has NOT previously accessed: Design Archive, Client Contracts, or Product Roadmap sites.

Q3: Anomaly. File downloads spiked from a baseline of 8-12/day to 45-60/day starting 9 April (the day after resignation). The step change correlates exactly with the resignation date. Over 7 days: approximately 350 files downloaded vs baseline expectation of ~70.

Q4: Files. 67 files from the Design Archive (not in baseline — UEBA flagged this correctly). 42 files from Active Projects (within scope but 3x normal volume). 15 files from Product Roadmap (not in baseline). File types: .dwg (CAD drawings), .step (3D models), .pdf (specifications), .xlsx (component lists).

Q5: Archived site. Marcus accessed the “Design Archive 2021-2023” SharePoint site for the first time on 10 April. Downloaded 67 files — the complete set of product specifications for the product line his new employer Meridian Precision competes with.

Q6-7: Exfiltration channels. Channel A (Cloud): Dropbox.com connections detected on 11 April at 22:14 and 12 April at 07:30. Upload volume correlates with file count. Channel B (USB): USB drive mounted on 13 April at 21:47. DeviceFileEvents shows 45 files written to E:\ drive. Channel C (Email): 5 emails with attachments sent to m.chen.personal@gmail.com on 12 April — client contact lists. Channel D (Print): 3 print jobs on 11 April — unknown content.

Timeline narrative: 9 April: resignation submitted. 9-10 April: bulk download from Design Archive and Product Roadmap (reconnaissance/staging). 11 April: print jobs + first Dropbox connection (initial exfiltration). 12 April: Dropbox upload + email to personal Gmail (continued exfiltration). 13 April: USB file copy at 21:47 (bulk physical exfiltration). Three channels used: cloud, USB, and email.

Q8: Evidence preservation. 1) Place mailbox on litigation hold (covert — Marcus cannot see it). 2) Create eDiscovery compliance search for investigation window. 3) Export query results as Sentinel bookmarks. 4) Ensure Defender for Endpoint device timeline is retained. Do NOT: wipe the device, disable the account, or change any permissions that Marcus would notice.

Q9: HR summary. “Between 9-13 April 2026, Marcus Chen downloaded 350 files from SharePoint — approximately 5x his normal daily volume. 67 files were from the Design Archive, a site he had not previously accessed. The files include product specifications, CAD drawings, and component lists for the [product line]. File transfers were detected to: personal Dropbox (11-12 April), personal Gmail with attachments (12 April), and a USB device (13 April). Evidence has been preserved via litigation hold and eDiscovery export.”

Q10: Access decision. Immediate revocation: eliminates further exfiltration risk but alerts Marcus and may affect his cooperation in the HR meeting. Work out notice: allows continued monitoring to build a complete evidence picture but accepts ongoing exfiltration risk. Recommendation: apply covert containment (Module 16.7) — block USB via device compliance policy with a cover story (“IT security update”), block personal cloud storage domains at the proxy, and continue monitoring. This reduces exfiltration channels without alerting Marcus. Then schedule the HR meeting within 48 hours.

Q11: Revocation sequence. T-0 (HR meeting starts): HR calls security. Execute: 1) Disable account. 2) Revoke all tokens. T+5: Verify sign-ins failing. T+30: Remove from all SharePoint sites, Teams, shared mailboxes. Initiate remote wipe if device will not be collected in person. T+1h: Confirm with HR that device is collected. Confirm litigation hold is active.

← All Challenges