Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy violations, and pre-departure behavior using SIEM analysis, DLP alerts, and HR data correlation. For SOC teams handling HR referrals, anomalous data movement, or building investigation timelines.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
以下情况使用本技能:
Investigates insider threat indicators like data exfiltration, unauthorized access, policy violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR correlation. For SOC teams with HR referrals or anomalous data movement.
Investigates insider threat indicators like data exfiltration, unauthorized access, and pre-departure behaviors using SIEM queries, DLP alerts, UEBA, and HR data correlation for SOC teams.
Investigates insider threats like employee data theft, privilege misuse, and anomalous behavior using digital forensics, user behavior analysis, and HR/legal coordination for evidence-based cases.
Share bugs, ideas, or general feedback.
以下情况使用本技能:
不适用于未获得适当法律授权的情况——内部威胁调查必须在监控开始前与 HR、法务和隐私团队协调。
开始任何监控前,确保获得适当授权:
内部威胁调查授权
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
案例 ID: IT-2024-0089
调查对象: [员工姓名] — [部门]
授权人: [CISO / 总法律顾问]
转介来源: HR — 员工提交辞职,两周通知期
理由: 员工可访问商业机密和客户 PII
范围: 邮件、文件访问、USB、云存储、打印
持续时间: 2024-03-15 至 2024-03-29(通知期)
隐私审查: 已完成——符合可接受使用策略
查询调查对象的综合活动:
index=* (user="jsmith" OR src_user="jsmith" OR sender="jsmith@company.com"
OR SubjectUserName="jsmith")
earliest="2024-03-01" latest=now
| eval event_category = case(
sourcetype LIKE "%dlp%", "DLP",
sourcetype LIKE "%proxy%", "Web 访问",
sourcetype LIKE "%email%", "邮件",
sourcetype LIKE "%WinEventLog%", "终端",
sourcetype LIKE "%o365%", "云",
sourcetype LIKE "%vpn%", "VPN",
sourcetype LIKE "%badge%", "物理访问",
1=1, sourcetype
)
| stats count by event_category, sourcetype, _time
| timechart span=1d count by event_category
批量文件下载(SharePoint/OneDrive):
index=o365 sourcetype="o365:management:activity" Operation IN ("FileDownloaded", "FileSynced")
UserId="jsmith@company.com" earliest=-30d
| stats count AS downloads, sum(eval(if(isnotnull(FileSize), FileSize, 0))) AS total_bytes,
dc(SourceFileName) AS unique_files
by UserId, SiteUrl, _time
| bin _time span=1d
| eval total_gb = round(total_bytes / 1073741824, 2)
| where downloads > 50 OR total_gb > 1
| sort - total_gb
USB/可移动媒体使用:
index=sysmon EventCode=1 Computer="WORKSTATION-JSMITH"
(CommandLine="*removable*" OR CommandLine="*usb*"
OR Image="*\\xcopy*" OR Image="*\\robocopy*")
| table _time, Computer, User, Image, CommandLine
| append [
search index=endpoint sourcetype="endpoint:device_connect"
user="jsmith" device_type="removable"
| table _time, user, device_name, device_serial, action
]
| sort _time
基于邮件的渗漏:
index=email sourcetype="o365:messageTrace"
SenderAddress="jsmith@company.com"
| eval is_external = if(match(RecipientAddress, "@company\.com$"), 0, 1)
| eval has_attachment = if(isnotnull(AttachmentName), 1, 0)
| stats count AS total_emails,
sum(is_external) AS external_emails,
sum(has_attachment) AS with_attachments,
sum(eval(if(is_external=1 AND has_attachment=1, 1, 0))) AS external_with_attach,
sum(Size) AS total_size_bytes
by SenderAddress
| eval external_attach_pct = round(external_with_attach / total_emails * 100, 1)
| eval total_size_mb = round(total_size_bytes / 1048576, 1)
云存储上传检测:
index=proxy user="jsmith"
(dest IN ("*dropbox.com", "*drive.google.com", "*onedrive.live.com",
"*box.com", "*wetransfer.com", "*mega.nz")
OR category="cloud-storage")
http_method=POST
| stats count AS uploads, sum(bytes_out) AS total_uploaded
by user, dest, category
| eval uploaded_mb = round(total_uploaded / 1048576, 1)
| sort - uploaded_mb
访问正常职责范围之外的敏感系统:
index=auth user="jsmith" action=success earliest=-30d
| stats dc(app) AS unique_apps, values(app) AS apps_accessed by user
| join user type=left [
| inputlookup role_app_mapping.csv
| search role="Financial Analyst"
| stats values(authorized_app) AS authorized_apps by role
| eval user="jsmith"
]
| eval unauthorized = mvfilter(NOT match(apps_accessed, mvjoin(authorized_apps, "|")))
| where isnotnull(unauthorized)
| table user, unauthorized, authorized_apps
下班时间和周末活动:
index=* user="jsmith" earliest=-30d
| eval hour = tonumber(strftime(_time, "%H"))
| eval is_offhours = if(hour < 7 OR hour > 19, 1, 0)
| eval day = strftime(_time, "%A")
| eval is_weekend = if(day IN ("Saturday", "Sunday"), 1, 0)
| stats count AS total, sum(is_offhours) AS offhours, sum(is_weekend) AS weekend by user
| eval offhours_pct = round(offhours / total * 100, 1)
| eval weekend_pct = round(weekend / total * 100, 1)
将活动与辞职时间线进行比较:
| makeresults
| eval user="jsmith",
resignation_date="2024-03-15",
last_day="2024-03-29",
access_revocation="2024-03-29 17:00"
| join user [
search index=* user="jsmith" earliest=-90d
| bin _time span=1d
| stats count AS daily_events, dc(sourcetype) AS data_sources by user, _time
]
| eval phase = case(
_time < relative_time(now(), "-30d"), "正常(辞职前)",
_time >= strptime(resignation_date, "%Y-%m-%d") AND _time <= strptime(last_day, "%Y-%m-%d"),
"通知期",
1=1, "过渡期"
)
| chart avg(daily_events) AS avg_events by phase
门禁/物理访问关联:
index=badge_access employee_id="jsmith" earliest=-30d
| stats count AS badge_events, values(door_name) AS doors_accessed,
earliest(_time) AS first_badge, latest(_time) AS last_badge by employee_id
| eval areas = mvcount(doors_accessed)
维护所有收集证据的监管链:
import hashlib
import json
from datetime import datetime
evidence_log = {
"case_id": "IT-2024-0089",
"investigator": "soc_analyst_tier2",
"collection_time": datetime.utcnow().isoformat(),
"items": [
{
"item_id": "EV-001",
"description": "Splunk 导出——所有用户活动 2024-03-01 至 2024-03-15",
"file": "jsmith_activity_export.csv",
"sha256": hashlib.sha256(open("jsmith_activity_export.csv", "rb").read()).hexdigest(),
"collected_by": "analyst_doe",
"collection_method": "Splunk 搜索导出"
},
{
"item_id": "EV-002",
"description": "DLP 告警详情——47 次策略违规",
"file": "dlp_alerts_jsmith.json",
"sha256": hashlib.sha256(open("dlp_alerts_jsmith.json", "rb").read()).hexdigest(),
"collected_by": "analyst_doe",
"collection_method": "Microsoft Purview 导出"
}
]
}
with open(f"evidence_log_{evidence_log['case_id']}.json", "w") as f:
json.dump(evidence_log, f, indent=2)
| 术语 | 定义 |
|---|---|
| 内部威胁(Insider Threat) | 拥有合法访问权限的个人出于未授权目的滥用该权限带来的风险 |
| 数据渗漏(Data Exfiltration) | 通过邮件、USB、云或其他渠道将数据未经授权地传输到组织外部 |
| DLP | 数据丢失防护(Data Loss Prevention)——根据内容策略监控和阻止未授权数据传输的技术 |
| 通知期监控(Notice Period Monitoring) | 在员工辞职到离职期间对其进行的强化监控 |
| 监管链(Chain of Custody) | 确保取证完整性的文档化证据处理程序,用于潜在的法律诉讼 |
| 知悉必要原则违规(Need-to-Know Violation) | 访问超出员工职责或当前任务所需的信息或系统 |
内部威胁调查报告 — IT-2024-0089
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
对象: jsmith(金融分析师,财务部)
期间: 2024-03-01 至 2024-03-15
状态: 员工于 2024-03-15 辞职,最后工作日 2024-03-29
主要发现:
[高] 从 SharePoint 下载 3,847 个文件(12.4 GB)——同类平均值的 10 倍
[高] 通知期内连接 USB 设备 14 次(上月 0 次)
[高] 向个人 Gmail 发送 187 封带附件邮件
[中] 通知期内下班时间活动增加 340%
[中] 访问 HR 薪酬数据库 3 次(超出职责范围)
时间线:
3 月 01-14 日:正常活动基线(平均每天 150 个事件)
3 月 15 日:提交辞职(活动激增至 890 个事件)
3 月 16-17 日:周末访问——2,100 次 SharePoint 下载
3 月 18 日:首次连接 USB 设备,触发 DLP 告警
已收集证据: 4 项(SHA-256 已验证,监管链已记录)
建议: 建议立即撤销访问权限
证据包已准备好供法务审查