- Home
- SIEM use cases
- Employee Termination Risk Monitoring
How to detect employee termination risk
In this page
Threat snapshot
The period between when an employee decides to leave and when their access is revoked is one of the highest-risk windows in enterprise security. The employee has full legitimate access to all systems their role requires, but their incentive to protect the organization's data has changed. Research consistently shows that a significant percentage of employees who resign or are terminated take proprietary information with them: customer lists, source code, financial models, product roadmaps, or whatever the most strategically valuable data in their role happens to be.
What distinguishes a termination-risk data loss event from an external breach is not the technical method but the legitimacy of the access. The employee is not bypassing authentication, exploiting a vulnerability, or using stolen credentials. They are accessing files and systems they are fully authorized to access, which is why traditional security controls that detect anomalous authentication or unauthorized access provide little protection in this scenario. The signal is behavioral: a pattern of access that deviates from the employee's established baseline in volume, scope, or destination.
The behavioral patterns that indicate data collection before departure are well-documented and detectable with the right monitoring in place. Bulk file access that exceeds the employee's normal daily volume, email forwarding rules created to personal accounts, SharePoint mass downloads, connections to cloud storage services like MEGA or Rclone configurations, and PowerShell-based email collection all produce log events that Log360's detection rules surface in real time.
Employee termination risk, at a glance
| Severity | High |
| Category | Identity & Access |
| Behaviors covered | Data hoarding and bulk file access, email forwarding rule creation, SharePoint and cloud mass download, exfiltration to cloud storage, tunneling tool usage, PowerShell email collection, database and backup exfiltration, credential harvesting before departure |
| MITRE ATT&CK tactics | TA0009 - Collection, TA0010 - Exfiltration |
| MITRE techniques | T1005 - Data from Local System, T1114 - Email Collection, T1114.001 - Local Email Collection, T1114.003 - Email Forwarding Rule, T1567 - Exfiltration Over Web Service, T1567.002 - Exfiltration to Cloud Storage |
| Platforms covered | Windows, Microsoft 365, AWS, Fortinet, Salesforce |
| Log360 detection rules |
|
| SOC maturity level | Level 2 - Investigation |
| Compliance mapping | NIST CSF PR.DS-5, PCI-DSS 12.6, HIPAA Section 164.308(a)(3), ISO 27001 A.7.3.1 |
How termination-related data loss occurs
Data exfiltration by departing employees follows predictable patterns based on the employee's role, technical sophistication, and the type of data they are targeting. Five primary exfiltration paths account for the vast majority of termination-risk incidents.
Email collection and forwarding (T1114)
Email forwarding is the simplest and most common exfiltration method for non-technical departing employees. Creating a mail flow rule in M365 that forwards all incoming and outgoing mail to a personal Gmail or Outlook account requires no technical knowledge and takes under a minute in the M365 web interface. The forwarded copy arrives in the personal account regardless of what happens to the corporate account after termination, creating a persistent copy of all business correspondence, attachments, and customer communications.
More technically capable employees may use PowerShell to perform local email collection, accessing Outlook PST files or Exchange mailboxes via MAPI to extract email archives directly to local disk before external transfer. This approach bypasses M365 forwarding rule monitoring because the collection happens at the local client level rather than via M365 transport rules.
Cloud storage and tunnel exfiltration (T1567.002)
Cloud storage services are the preferred exfiltration destination for departing employees who want to avoid DLP controls monitoring USB or email. MEGA, Ufile, and similar services provide encrypted file storage with no corporate visibility into uploaded content. Rclone is a command-line tool that syncs files to over 70 cloud storage backends and is particularly effective for bulk exfiltration because it can replicate entire directory trees in a single command. Tunneling tools like Ngrok, Cloudflared, BTunnels, DevTunnels, and VS Code tunnels create encrypted channels to external endpoints that can bypass DLP and web filtering by routing through legitimate hosting infrastructure.
Mass file access and SharePoint download (T1005)
Data hoarding before departure typically shows up as a sudden increase in file access volume on file servers and SharePoint. An employee who normally accesses 50 to 100 files per day suddenly reading 2,000 files in a single session is collecting data, not doing their job. Failed file access attempts are equally significant: an employee probing restricted directories indicates they are testing the boundaries of their access to find additional data beyond their normal role scope. In M365 environments, bulk SharePoint downloads above a defined daily threshold are the primary data collection indicator for cloud-native departing employees.
Specialized data collection by role (T1005)
Database administrators may execute suspicious SQL backup jobs to export entire databases to local paths outside the standard backup schedule. Veeam administrators may query the Veeam database to access backup credentials. Salesforce users may perform bulk data transfers that exceed normal CRM export volume. AWS administrators may attempt to export EC2 virtual machine images. Credential harvesting before departure is a distinct category: Esentutl browser credential extraction, ADFS database access, and cryptocurrency wallet activity each produce distinct process creation or file access signatures that Log360's rules target.
Real-world incidents
Trade secret theft: departing engineers downloading IP before joining competitors
The most commonly litigated category of insider data theft involves engineers, product managers, or sales staff who download proprietary technical documentation, source code, customer lists, or pricing models in the days before their last day. The downloading behavior is characteristically compressed into a short window: the employee who has averaged 20 file accesses per day for two years suddenly opens 800 files in a single afternoon. The timing relative to the resignation date, combined with the specific file paths accessed, is what separates data hoarding from legitimate end-of-project file review.
Salesforce CRM data exfiltration by departing sales staff
Sales personnel departing to join a competitor frequently export CRM data: contact lists, deal history, account notes, and pipeline data. In Salesforce environments, bulk data export events above normal usage thresholds are detectable via Salesforce event monitoring. The Suspicious Bulk Data Transfer Activity in Salesforce rule fires when export volume significantly exceeds the user's established baseline. The combination of a large Salesforce export followed by Rclone or MEGA connection activity from the same user on the same day is a high-confidence data theft indicator.
Database administrator SQL backup exfiltration
A departing DBA who creates an ad hoc SQL backup job outside of the scheduled backup window, writing the backup to a non-standard path on their local workstation rather than the backup server, is the pattern detected by the Suspicious SQL backup activity rule. The combination of off-schedule timing, non-standard destination path, and proximity to a known departure date makes this pattern high-confidence in a termination risk monitoring context.
Exfiltration method reference table
| Role type | Common data target | Preferred method | Log360 primary detection |
|---|---|---|---|
| General employee | Emails, project files, customer contacts | Email forwarding rule, SharePoint download | Mail Flow Rule for Forwarding Created, Office365 Sharepoint File transfer above threshold |
| Sales / account manager | CRM contacts, pipeline data, pricing | Salesforce bulk export, email forwarding | Suspicious Bulk Data Transfer Activity in Salesforce, Mailbox Mail Forwarding Enabled |
| Engineer / developer | Source code, technical documentation, IP | Rclone sync, MEGA upload, tunneling tool | PUA - Rclone Execution, DNS Query To MEGA Hosting Website, Ngrok/tunnel rules |
| Database administrator | Database exports, backup credentials | SQL backup to local path, Veeam query | Suspicious SQL backup activity, VeeamBackup Database Credentials Dump Via Sqlcmd.EXE |
| IT / sysadmin | Credentials, system configs, VM images | Esentutl browser dump, AWS VM export, ADFS access | Esentutl Steals Browser Information, AWS EC2 VM Export Failure, ADFS Database Named Pipe Connection By Uncommon Tool |
| Finance / analyst | Financial models, pricing data, reports | Mass file download, email forwarding | Suspicious file access, Failed file access attempts, Mail Flow Rule for Forwarding Created |
Business impact
- Trade secret and IP loss. The theft of proprietary technical information, customer data, or business strategies by departing employees represents one of the highest-value categories of insider threat. Unlike ransomware, the damage from IP theft is often invisible until the competitor uses the stolen information, by which time it has already been fully exploited.
- Legal and regulatory exposure. Under trade secret protection laws such as the US Defend Trade Secrets Act and EU Trade Secrets Directive, and data protection regulations including GDPR and CCPA, unauthorized exfiltration of customer data by a departing employee creates legal exposure if the organization cannot demonstrate that adequate monitoring and access controls were in place.
- Customer relationship damage. CRM data and customer contact exfiltration by departing sales staff is a direct threat to customer relationships. Customers targeted by a former employee using data obtained from the corporate CRM have legal claims against the former employer if the exfiltration was not detected and the customer was not notified.
- Cost of forensic investigation. When data theft is discovered after the fact, the organization faces forensic investigation costs to determine what was taken, legal costs for civil proceedings, and the operational cost of remediating any access retained post-termination through forwarded email rules or harvested credentials.
Detecting employee termination risk with Log360
Log360's 29 detection rules for this use case cover the full spectrum of departing employee exfiltration behavior across five platforms. For Windows-based rules, Sysmon must be deployed with process creation (Event 1), network connection (Event 3), DNS query (Event 22), and file creation (Event 11) logging enabled. For M365 rules, unified audit logs must be configured and forwarding to Log360. For AWS, Salesforce, and Fortinet rules, the respective platform log sources must be configured as connectors in Log360.
Email collection and forwarding
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Mail Flow Rule for Forwarding Created | Trouble | Microsoft 365 | T1114.003 | A new M365 transport rule was created that forwards messages to an external address. This is the primary detection for departing employees setting up automatic email forwarding to personal accounts. Any external forwarding rule not correlated with a documented business justification should be treated as suspicious, particularly when the creating account is known to be departing. |
| Mailbox Mail Forwarding Enabled | Trouble | Microsoft 365 | T1114.003 | Mailbox-level forwarding was enabled for a user's M365 mailbox to an external address. Covers the alternative forwarding mechanism available via Outlook settings or PowerShell, which creates mailbox-level forwarding rather than a transport rule. |
| Powershell Local Email Collection | Trouble | Windows | T1114.001 | PowerShell accessing local Outlook PST files or Exchange mailbox data via MAPI. Used by more technically capable departing employees to collect email archives to local disk for subsequent exfiltration without creating a detectable M365 forwarding rule. |
| HTTP Access Limit Violation | Trouble | Fortinet | T1114 | HTTP access rate limit violation detected by Fortinet network appliance, indicating bulk download or upload activity above normal usage patterns. Provides network-layer visibility into mass data transfer not visible in application-layer logs. |
Mass file access and SharePoint download
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Suspicious file access | Critical | Windows | T1005 | Advanced anomaly rule firing when file access volume, velocity, or path pattern deviates significantly from the user's established baseline. Covers the data hoarding pattern where a user accesses far more files than their historical average or accesses file paths outside their normal working scope. Critical severity because this behavioral deviation is a high-confidence indicator of systematic data collection. |
| Failed file access attempts | Critical | Windows | T1005 | Multiple access denied events for file system objects, indicating an employee probing paths they do not have permission to access. A departing employee attempting to access files in restricted directories beyond their normal role scope is either expanding their collection or testing whether access controls have already been tightened. |
| Office365 Sharepoint File transfer above threshold | Trouble | Microsoft 365 | T1567 | SharePoint or OneDrive file download volume exceeded the configured threshold for a single user within a defined time window. Primary detection for departing employees performing mass downloads of SharePoint document libraries, team site contents, or OneDrive shared folders. |
Cloud storage exfiltration
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| DNS Query To MEGA Hosting Website | Trouble | Windows | T1567.002 | DNS resolution of MEGA cloud storage domains. MEGA is the most commonly used cloud storage service for data exfiltration due to its end-to-end encryption. DNS-level detection fires before any data has been transferred, providing the earliest possible detection signal. |
| Network Connection Initiated To Mega.nz | Attention | Windows | T1567.002 | Active network connection to MEGA.nz IP ranges established from an endpoint. Complements the DNS query rule by detecting established connections, providing a second detection layer even if DNS caching prevents the DNS query rule from firing. |
| DNS Query To Ufile.io | Attention | Windows | T1567.002 | DNS resolution of Ufile.io, an anonymous file storage service. Used for exfiltration because uploaded files are accessible without account registration and are not linked to the uploader's identity. |
| DNS Query for Anonfiles.com Domain - Sysmon | Trouble | Windows | T1567.002 | DNS resolution of Anonfiles.com domains, an anonymous file hosting service specifically chosen by insiders for its lack of upload logging or user registration requirements. |
| PUA - Rclone Execution | Trouble | Windows | T1567.002 | Rclone binary execution detected via Sysmon process creation. Rclone can synchronize files to over 70 cloud storage backends in a single command, making it one of the most efficient bulk exfiltration tools available. Its execution from a standard user account outside of documented IT administration use is a high-confidence exfiltration indicator. |
| Rclone Config File Creation | Trouble | Windows | T1567.002 | Rclone configuration file (rclone.conf) created in the user profile or user-writable path. This file stores cloud backend credentials for subsequent use. Detecting configuration file creation provides early warning before bulk transfer starts. |
Tunneling tool exfiltration
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Communication To Ngrok Tunneling Service Initiated | Trouble | Windows | T1567 | Ngrok client communication to Ngrok's control plane. Ngrok creates encrypted tunnels to external endpoints through Ngrok's relay infrastructure, bypassing web filtering and DLP controls. |
| Process Initiated Network Connection To Ngrok Domain | Trouble | Windows | T1567.001 | Process-level network connection to an Ngrok tunnel domain. Provides the parent process context needed to determine which application is initiating the Ngrok tunnel. |
| Network Connection Initiated To BTunnels Domains | Trouble | Windows | T1567 | Network connection to BTunnels service domains. BTunnels is used as an alternative to Ngrok to bypass controls that specifically block Ngrok traffic. |
| Network Connection Initiated To Cloudflared Tunnels Domains | Trouble | Windows | T1567 | Network connection to Cloudflare Tunnel (cloudflared) domains. Cloudflared creates encrypted tunnels through Cloudflare's CDN infrastructure, making tunnel traffic indistinguishable from legitimate Cloudflare traffic at the network layer. |
| Network Connection Initiated To DevTunnels Domain | Trouble | Windows | T1567.001 | Network connection to Microsoft DevTunnels service, a development tool abused for exfiltration because it routes through Microsoft's infrastructure. In a termination risk context, VS Code and DevTunnels also provide the departing employee with a persistent post-termination remote access channel to the endpoint if configured before departure. |
| Network Connection Initiated To Visual Studio Code Tunnels Domain | Trouble | Windows | T1567 | Network connection to VS Code Remote Tunnels service via Microsoft's relay infrastructure. Provides persistent remote access to the endpoint from any device, making it a dual-use exfiltration and persistence tool for departing technical employees. |
Living-off-the-land exfiltration
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| LOLBAS Data Exfiltration by DataSvcUtil.exe | Trouble | Windows | T1567 | DataSvcUtil.exe (a Windows built-in for WCF Data Services) used to transfer files to an external web service. This living-off-the-land technique uses a signed Windows binary to transfer data, bypassing application control policies that block third-party upload tools. |
| Arbitrary File Download Via ConfigSecurityPolicy.EXE | Trouble | Windows | T1567 | ConfigSecurityPolicy.exe (a Windows Defender configuration utility) used as a download or upload LOLBin, enabling data transfer to web-accessible endpoints using a signed Windows binary to bypass application control. |
Specialized data exfiltration by role
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Suspicious Bulk Data Transfer Activity in Salesforce | Attention | Salesforce | T1567 | Salesforce data export volume significantly exceeded the user's established behavioral baseline. Anomaly rule covering CRM data exfiltration by departing sales, account management, or customer success staff. Fires on bulk report export, data export wizard usage, or API-based record export volume deviating from the user's historical norm. |
| Suspicious SQL backup activity | Critical | Miscellaneous | T1005 | Ad hoc SQL backup job created or executed outside the scheduled backup window, or with a non-standard destination path. Covers database administrators who create off-schedule database exports to local workstation paths. Critical severity because a successful database backup exfiltration typically contains the most sensitive structured data the organization holds. |
| Veeam Backup Database Suspicious Query | Trouble | Windows | T1005 | Suspicious query against the Veeam backup database targeting backup job details, stored credentials, or backed-up system information. A departing backup administrator may be harvesting credentials stored in backup job configurations or mapping backed-up systems for post-employment access. |
| VeeamBackup Database Credentials Dump Via Sqlcmd.EXE | Trouble | Windows | T1005 | sqlcmd.exe executed to query the Veeam backup database for credential data. Veeam stores backup job credentials in its database in a recoverable form. Direct sqlcmd queries targeting credential tables by a departing administrator indicate credential harvesting for post-employment access. |
| AWS EC2 VM Export Failure | Attention | AWS | T1005 | Attempt to export an EC2 virtual machine image failed due to insufficient permissions. The failed attempt is itself the detection signal: a departing cloud administrator tried to export a VM image containing all data, configurations, and credentials, and was blocked by IAM permissions. |
| Esentutl Steals Browser Information | Trouble | Windows | T1005 | Esentutl.exe executed against browser database files containing saved passwords, cookies, and history. A departing employee extracting browser-stored credentials is harvesting saved corporate credentials for post-employment access to SaaS applications or internal systems accessible from outside the network. |
| Cryptocurrency wallet software started | Critical | Windows | T1005 | Known cryptocurrency wallet software running on a corporate endpoint. In a termination risk context, this may indicate the employee is converting company-controlled cryptocurrency assets, moving personal financial assets in anticipation of legal dispute, or using the wallet as a staging mechanism for financial data exfiltration. |
| ADFS Database Named Pipe Connection By Uncommon Tool | Trouble | Active Directory | T1005 | An uncommon tool connected to the ADFS database via named pipe, potentially accessing ADFS credentials, signing certificates, or token-issuing keys. A departing identity administrator accessing the ADFS database with non-standard tools may be harvesting federation service credentials for persistent post-employment access to federated SaaS applications. |
Behavior pattern visibility
Termination-risk data loss rarely shows up as a single event. It shows up as a pattern of behaviors concentrated in a short time window, often in the days immediately before or after a resignation is submitted.
Pattern A: Non-technical employee preparing to depart
| Day | Log source and event | What it indicates | Rules that fire |
|---|---|---|---|
| Day 1 | M365 audit log | Mail flow forwarding rule created to a Gmail address. Employee has never previously created a mail flow rule in three years of employment. | Mail Flow Rule for Forwarding Created |
| Day 2 | M365 audit log, SharePoint download events | SharePoint download count for the day: 847 files. Employee's 90-day average: 23 files per day. Downloads concentrated in the Customer Contracts and Pricing document libraries. | Office365 Sharepoint File transfer above threshold |
| Day 3 | Sysmon Event 22 (DNS query) | DNS query to mega.nz from the employee's workstation. First MEGA access ever observed for this endpoint. | DNS Query To MEGA Hosting Website |
| Day 4 | Windows Security Event 4656 (access denied) | 12 failed file access attempts against paths in the Legal and Finance network shares, which the employee has no access rights to. | Failed file access attempts |
Pattern B: Technical employee (developer) preparing to depart
| Day | Log source and event | What it indicates | Rules that fire |
|---|---|---|---|
| Day 1 | Sysmon Event 1 (Process Creation) | Rclone.exe executes with configuration arguments pointing to a MEGA remote. Rclone config file created in AppData. First Rclone execution ever observed on this endpoint. | PUA - Rclone Execution, Rclone Config File Creation |
| Day 2 | Sysmon Event 3 (Network Connection) | Large outbound data transfer to Mega.nz IP ranges over several hours. Transfer volume significantly exceeds any prior daily outbound transfer for this endpoint. | Network Connection Initiated To Mega.nz |
| Day 3 | Sysmon Event 1 (Process Creation) | Esentutl.exe executed against Chrome profile database path. Browser credential extraction in progress. | Esentutl Steals Browser Information |
| Day 4 | Sysmon Event 3 (Network Connection) | Network connection to DevTunnels domain established. A persistent remote access tunnel to the employee's workstation has been created before their last day. | Network Connection Initiated To DevTunnels Domain |
Investigation playbook
Termination-risk investigations differ from external threat investigations in one critical dimension: the employee has legitimate access to all systems where the activity occurred. The investigation must establish that the access pattern was inconsistent with the employee's normal work behavior and consistent with data collection for external use. This distinction matters for both HR proceedings and any subsequent legal action.
Step 1: Establish the behavioral baseline before assessing the event
- Before treating any individual rule firing as a confirmed insider threat event, pull the employee's historical activity baseline from Log360 for the prior 90 days. What was their daily average file open count, which directories did they normally access, what was their typical data transfer volume, and did they previously access cloud storage services? Context from the baseline is what separates meaningful signals from noise in this use case.
- Check whether the employee has a known departure date. Known departures dramatically increase the significance of any data access anomaly: the same behavior that is borderline suspicious for an active employee is high-confidence exfiltration for an employee known to be leaving in two weeks.
Step 2: Correlate signals across detection rules
- In Log360's log search, query for all rule firings associated with the same username across the preceding 30 days. A user who triggered only one rule in isolation is much lower risk than one who triggered four different rules across four consecutive days. The concentration and diversity of signals is more predictive than any single rule firing.
- Look for the collection-then-exfiltration sequence: bulk file access or SharePoint downloads followed within 24 to 48 hours by connections to cloud storage services or tunnel tools. This two-phase pattern is the most common departure data theft workflow and is highly distinctive when both phases appear within the same investigation window.
- Check whether mail forwarding rules were created. If yes, all emails sent and received since the rule creation may have been copied to an external address, determining the scope of email data exposure independently of any file-based exfiltration.
Step 3: Investigate using the Incident Workbench
- Click on the employee's username in any alert to open the Incident Workbench. Use the User analytics tab to view the complete activity timeline, UEBA risk score, and behavioral deviation metrics. The UEBA risk score quantifies the degree of behavioral deviation across all monitored activities, not just the specific events that triggered individual rules.
- Review the activity overview to identify the specific files accessed, SharePoint sites visited, and external destinations contacted. For email forwarding cases, identify when the forwarding rule was created relative to other suspicious activity to establish the timeline of intent.
- Save the Incident Workbench session to an incident and flag it with the appropriate sensitivity level. Termination risk incidents frequently involve HR, Legal, and executive stakeholders, and the saved session provides the evidence record for those stakeholders without requiring raw log access.
Step 4: Determine scope of data exposure
- For email forwarding: identify when the rule was created and enumerate all emails that would have been copied to the external address since that date using M365 message trace.
- For SharePoint mass download: identify the specific document libraries and files downloaded using M365 unified audit log FileDownloaded events. Cross-reference with DLP sensitivity classifications if in use.
- For Rclone or MEGA exfiltration: the transferred content is not directly visible in logs. Scope must be inferred from file access events preceding the transfer: which files were accessed in the hours before the cloud storage connection, and do they match the employee's data domain?
- For credential harvesting via Esentutl or ADFS access: enumerate all corporate SaaS applications and systems where browser-saved credentials would provide access. Password rotation for those credentials must be initiated regardless of whether exfiltration is confirmed.
Step 5: Collect evidence for HR and legal proceedings
- Export all relevant log entries: M365 audit logs for forwarding rule creation and SharePoint downloads, Windows file access events, Sysmon process creation and network connection events. Preserve the chain of custody by exporting to a tamper-evident format and noting the export time.
- Export the Incident Workbench session timeline and UEBA risk score history. This provides a non-technical summary of the behavioral deviation suitable for HR review and legal proceedings.
- Document the comparison between the employee's 90-day baseline and the anomalous activity period. This comparison is the foundation of the insider threat case, demonstrating that the activity was inconsistent with normal job function.
Response and remediation
Immediate containment
- Remove any mail forwarding rules from the employee's M365 account immediately. Use the Exchange admin center or PowerShell (Remove-TransportRule) to delete the rule. Forwarding rules may continue to operate after account disablement in some configurations; explicit removal is required.
- Revoke active M365 sessions using Revoke-MgUserSignInSession to terminate any active browser sessions through which data may still be accessible.
- Block identified exfiltration destinations at the web filtering layer if exfiltration is ongoing: block MEGA, Rclone targets, or tunnel service domains for the specific workstation while investigation is in progress.
- Initiate accelerated offboarding in coordination with HR. In high-risk cases where significant data exfiltration is detected, immediate access termination rather than waiting for the planned last day reduces the ongoing exposure window.
Response actions by trigger
| Trigger | Immediate action | Owner |
|---|---|---|
| Mail Flow Rule for Forwarding Created or Mailbox Mail Forwarding Enabled | Remove forwarding rule immediately. Run M365 message trace to determine scope of emails forwarded since rule creation. Notify HR and Legal. | SOC L2 + M365 Admin |
| PUA - Rclone Execution or DNS Query To MEGA | Isolate workstation if transfer is in progress. Preserve memory and disk state for forensics. Identify what was accessed before the transfer via file access logs. | SOC L2 + Incident Response |
| Office365 Sharepoint File transfer above threshold | Enumerate specific files downloaded via M365 audit log. Cross-reference with data classification. Notify data owners. Coordinate with HR on departure status. | SOC L2 + DLP Team |
| Suspicious SQL backup activity or Veeam credential dump | Identify backup destination path. Determine if file was subsequently transferred externally. Initiate database credential rotation for any credentials potentially included in the backup. | SOC L2 + DBA Team |
| Esentutl Steals Browser Information | Identify all corporate accounts where browser-saved credentials could have been extracted. Initiate forced password reset. Check for post-harvest access attempts from external IPs. | SOC L2 + Identity Team |
Process improvements
- Establish a formal elevated monitoring period triggered by HR notification of resignation or involuntary termination. When a departure is known in advance, UEBA anomaly thresholds for the departing employee's account can be tightened and specific rules placed on watchlist for immediate alerting.
- Implement a pre-offboarding access review that revokes access to the most sensitive systems (CRM, database admin tools, source code repositories) before the final departure date for roles with elevated data access risk.
- Integrate HR offboarding workflows with Log360 so that departing employee accounts are automatically placed under enhanced monitoring when an HR departure record is created. A SharePoint download alert from an employee with no known departure is Attention severity; the same alert from an employee with a confirmed departure date in three days is Critical.
False positive tuning
| False positive source | Rules affected | Tuning strategy |
|---|---|---|
| Legitimate large-scale SharePoint or file downloads for remote work | Office365 Sharepoint File transfer above threshold, Suspicious file access | Calibrate the download threshold against the organization's actual 90th percentile daily download volume per role type, not an arbitrary fixed number. Users who regularly work with large file sets such as engineers with large CAD repositories will have genuine high-volume download patterns that need per-role thresholds. The Suspicious file access anomaly rule uses individual behavioral baselines to avoid false positives for established users. |
| IT-sanctioned use of Rclone or cloud sync tools for backup | PUA - Rclone Execution, Rclone Config File Creation, MEGA and cloud storage rules | Maintain an allowlist of IT-approved cloud sync tools and their authorized use cases. Rclone used by IT administrators for approved backup sync should be excluded at the source account and workstation level. Standard employee workstations should never appear in the Rclone allowlist. |
| Developers using ngrok, DevTunnels, or VS Code Tunnels for legitimate development | Ngrok, DevTunnels, VS Code Tunnels, Cloudflared rules | Development teams may have legitimate approved uses for tunnel services for local development and testing. Create an allowlist scoped to specific developer accounts and development workstations. Tunnel usage from non-developer accounts, from non-development workstations, or during non-working hours should always alert regardless of any developer allowlist. |
| Scheduled backup jobs generating SQL backup events | Suspicious SQL backup activity | Document all scheduled SQL backup jobs including their timing, service account, and destination path. The rule detects deviations from scheduled patterns: off-schedule timing, non-standard destination paths, or execution by non-service accounts. Ensure scheduled backup patterns are included in the rule baseline. |
| IT administrators legitimately accessing ADFS or Veeam databases | ADFS Database Named Pipe Connection By Uncommon Tool, Veeam Database rules | Create an allowlist of authorized tools and accounts for ADFS and Veeam administration. Access from allowlisted tools used by allowlisted admin accounts is expected. Any access from tools not in the authorized list, or from accounts outside the admin group, should always alert. |
