Insider Risk: Investigate & Close Cases
When Insider Risk fires an alert, the investigation begins. Triage alerts, manage cases, capture forensic evidence, send notice templates, and close investigations with the right action.
The investigation workflow
Think of a fire alarm. The alarm goes off (alert). A firefighter assesses whether itβs real or a false alarm (triage). If real, they investigate the source (case). They document evidence (forensic capture). Then they take action β contain the fire, evacuate, or stand down if itβs burnt toast.
Insider Risk follows the same workflow: alert β triage β case β investigation β action. Each stage has specific tools and roles designed to protect both the organisation and the employeeβs privacy.
Alert management
Alert severity levels
| Severity | What It Indicates | Typical Response |
|---|---|---|
| High | Significant risk β multiple indicators, high-value data, known risk factors | Investigate immediately, consider case escalation |
| Medium | Moderate risk β some indicators above threshold | Review within 24-48 hours, gather more context |
| Low | Minor risk β single indicator slightly above normal | Monitor, may dismiss if isolated incident |
Triage actions
| Action | What It Does | When to Use |
|---|---|---|
| Confirm | Escalates the alert to a case for formal investigation | Genuine risk pattern identified |
| Dismiss | Closes the alert as benign | False positive or explained activity |
| Resolve | Closes the alert with a resolution note | Minor issue, handled informally |
| Feedback | Provide feedback on alert quality | Help improve the ML model |
Case management
When an alert is confirmed, it becomes a case. Cases provide:
| Feature | What It Provides |
|---|---|
| Activity timeline | Chronological view of ALL user activities related to the case |
| Content explorer | View the actual files and messages involved |
| User activity | Detailed breakdown of what the user did, when, and where |
| Similar cases | Alerts and cases involving the same user or pattern |
| Notes | Investigator notes and documentation |
| Escalation | Escalate to eDiscovery (Premium) for legal hold and evidence preservation |
Case actions
| Action | Purpose |
|---|---|
| Send notice | Send a templated communication to the user (warning, reminder, etc.) |
| Escalate to eDiscovery | Create an eDiscovery case for legal investigation |
| Escalate to ServiceNow | Create a ticket in your ITSM system (if integrated) |
| Resolve case | Close the case with a resolution (confirmed/dismissed/resolved) |
Forensic evidence
For serious cases, IRM can capture forensic evidence β recordings of user desktop activity:
| Setting | What It Controls |
|---|---|
| Enable/disable | Turn forensic evidence capture on or off globally |
| Capture triggers | Which policy matches trigger evidence capture |
| Capture quality | Resolution and frame rate of captures |
| Storage | Where evidence is stored (Azure Storage account) |
| Retention | How long evidence is kept |
| Approval workflow | Captures require approval from the Insider Risk Management Approvers role |
Privacy safeguards for forensic evidence
| Safeguard | How It Protects |
|---|---|
| Approval required | A separate approver must authorise evidence capture |
| Scoped capture | Only captures activities related to the policy match β not continuous surveillance |
| Audit logging | All capture requests, approvals, and viewings are logged |
| Time-limited | Captures have defined start and end times |
| Role separation | Approvers cannot be the same people as investigators |
Notice templates
Notice templates are pre-written communications sent to users during or after an investigation:
| Template Type | Purpose | Example |
|---|---|---|
| Reminder | Remind the user of data handling policies | βThis is a reminder that external file sharing must comply with our data classification policy.β |
| Warning | Formal warning about detected activity | βActivity on your account has been flagged for review. Further incidents may result in disciplinary action.β |
| Escalation | Notify the user that the matter has been escalated | βThis matter has been escalated to HR for further review.β |
Creating and managing templates
| Setting | What You Configure |
|---|---|
| Template name | Internal name for the template |
| Subject line | Email subject the user sees |
| Body | Message content β supports placeholders for user name, date, policy |
| CC recipients | Optionally copy HR, legal, or the userβs manager |
Scenario: Zara investigates a departing consultant
Atlas Globalβs IRM flags an alert: a senior consultant (2 weeks until departure) downloaded 2,000 files from SharePoint in 3 days β 10x their normal volume.
Zaraβs investigation:
- Triage: High-severity alert β confirm and escalate to case
- Activity timeline: Shows bulk downloads started the day after resignation. Files include client proposals, pricing data, and strategy documents.
- Forensic evidence: Zara requests capture approval. Approver grants it. Capture shows the consultant copying files to a personal external hard drive.
- Notice: Send βWarningβ template to the consultant, CC HR and Legal.
- Escalation: Escalate to eDiscovery for legal preservation. HR initiates exit interview with security present.
- Resolution: Case resolved β access revoked, legal hold placed, incident documented.
An Insider Risk alert at Atlas Global shows a low-severity alert for a single file download by a marketing coordinator. The file is a public brochure template. What should the analyst do?
During a case investigation at St. Harbour Health, Dr. Liam's team discovers that a departing nurse copied patient records to a personal USB drive. Legal counsel requests that all evidence be preserved for potential litigation. What should the investigator do?
π¬ Video coming soon
Next up: Adaptive Protection: Risk Levels Meet DLP β the bridge between Insider Risk and DLP that makes enforcement dynamic.