How to Use Log Analytics for Insider Threat Detection

Insider threats are responsible for 60% of data breaches and can cost an average of $16.2 million per incident. Log analytics is a valuable tool for detecting these threats by monitoring user behavior and security logs in near real-time against established baselines and policies. Malicious, compromised, and negligent insiders represent three types of insider threats that can be detected through proactive security analysis using log analytics. Key indicators to monitor with log analytics include suspicious login behavior, unauthorized or unnecessary application usage, unauthorized file access/modification, privilege escalation, excessive downloads, inappropriate data exfiltration, and anomalous software installation. By aggregating security and user behavior logs at scale, organizations can establish baselines for normal user behavior and monitor incoming log data to detect suspicious or anomalous activity that might indicate an insider threat.