16.2 Incident Briefing: INC-2026-0401-005
Incident Briefing: INC-2026-0401-005
The trigger
On 1 April 2026, HR contacts the security team: “Marcus Chen (m.chen@northgateeng.com), Senior Mechanical Engineer, submitted his resignation yesterday. His last day is 15 April. Marcus has been with Northgate for 7 years and has access to proprietary product design files, manufacturing specifications, and client project documents. He is joining a direct competitor. We would like security to check whether any data has been removed.”
This is a standard HR referral — the most common insider threat investigation trigger.
What you know at this point
From HR: Marcus resigned on 31 March. Last day: 15 April. Joining Meridian Precision Components Ltd (the same vendor from the Module 13 BEC scenario — now relevant as a competitor). Marcus has been a high performer with no prior disciplinary issues. HR has no evidence of data theft — they are requesting a precautionary investigation.
From IT/directory: Marcus’ role: Senior Mechanical Engineer. Department: Product Engineering. M365 licence: E5. Devices: LAPTOP-NGE027 (Intune managed, Entra joined). SharePoint access: Product Engineering site, Project Archives site, and 3 client project sites. OneDrive: standard allocation. No DLP alerts in the past 90 days.
What you do NOT know: Whether Marcus has exfiltrated any data. Whether his activity in the past 2-4 weeks is normal or anomalous. Whether he has used USB devices, personal cloud storage, or personal email for file transfer.
Investigation constraints
Confidentiality. Marcus must not learn he is under investigation. All log analysis must be conducted through Sentinel, Defender, and Purview — no direct questioning of Marcus, no inspection of his physical workspace, and no changes to his access that he would notice. If the investigation finds evidence of exfiltration, HR and legal will determine the response — security does not confront the employee.
Proportionality. This is a precautionary investigation based on a risk indicator (resignation + competitor move), not a confirmed incident. The investigation should assess whether exfiltration occurred — not assume it did. If the analysis shows normal work activity, that is a valid finding.
Legal basis. Confirm with legal counsel that the investigation is authorised under the organisation’s acceptable use policy and employment contracts. In the UK, monitoring must be proportionate and comply with the Data Protection Act 2018 / UK GDPR. Most M365 tenants have an acceptable use policy that permits monitoring of company systems — but verify before proceeding.
Investigation planning
Before running any queries, plan the investigation scope:
Time window. The investigation window starts 30 days before the resignation date (31 March). Departing employees typically begin exfiltrating 2-4 weeks before departure. Search window: 1 March — present.
Data sources to query.
| Source | What It Shows | Required Connector |
|---|---|---|
| CloudAppEvents | SharePoint/OneDrive file access, downloads, sync | Defender XDR connector |
| DeviceFileEvents | Local file operations, USB writes, folder moves | Defender for Endpoint |
| DeviceNetworkEvents | Cloud storage uploads, external transfers | Defender for Endpoint |
| DeviceEvents | USB mount, print jobs, screen capture tools | Defender for Endpoint |
| EmailEvents + EmailAttachmentInfo | Email with attachments to personal addresses | Defender for Office 365 |
| SigninLogs | Sign-in times (after-hours activity) | Entra ID connector |
Verify data availability before starting the investigation:
| |
If DeviceFileEvents or DeviceNetworkEvents return zero: Defender for Endpoint is not ingesting data for Marcus’ device. Without endpoint telemetry, you cannot detect USB transfers, local file operations, or personal cloud uploads. The investigation proceeds with cloud-only data (CloudAppEvents, EmailEvents) but with significant blind spots.
Document the investigation scope before running the first query: “Investigation ID: IT-INC-2026-0401-005. Subject: m.chen@northgateeng.com. Trigger: HR referral (resignation, competitor move). Legal authorisation: confirmed by [legal counsel] on [date]. Investigation window: 1 March — present. Data sources: [list]. Scope: assess whether data transfer outside normal work patterns occurred.”
This documentation protects the investigation if it is later scrutinised — it shows the investigation was planned, proportionate, and authorised.
Your job is to determine whether data exfiltration occurred and to preserve the evidence if it did. You do not determine guilt, impose consequences, or confront the employee. Present your findings to HR and legal. They make the decisions. Your investigation report is a factual account of technical findings — not an accusation.
Knowledge check
Pre-investigation checklist
Before running any queries, complete these preparation steps:
- Legal authorisation confirmed. Legal counsel has confirmed the investigation is authorised under the acceptable use policy and employment contracts.
- Investigation scope defined. What data: M365 logs + endpoint telemetry. What time range: last 30 days (expandable if needed). What channels: SharePoint/OneDrive, email, USB, cloud storage, print.
- Investigation team identified. Who has access to the investigation: SOC analyst + HR contact + legal counsel. No one else — especially not the subject’s direct manager.
- Confidentiality protocol established. Investigation queries run from the analyst’s workstation only. No investigation data stored in shared locations accessible to the subject. No discussion of the investigation in shared channels (Teams, Slack) that the subject can see.
- Documentation started. Investigation log opened with: date, trigger, legal authorisation reference, scope, team members. Every action from this point is recorded.
Investigation naming convention: Use a neutral naming convention that does not identify the subject or the nature of the investigation. Example: “IT-2026-0401-005” — not “Marcus Chen Data Theft Investigation.” If the investigation file name appears in a log, a notification, or a file share listing, a neutral name does not reveal the investigation to the subject or to uninvolved colleagues.
Check your understanding
1. HR asks you to "monitor Marcus and catch him stealing data." How do you frame the investigation?