Possible Insider Threat Activity

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-05-10

Activation Period	14 Days
Training Period	30 Days
Test Period	3 Hours
Deduplication Period	1 Day
Required Data	Requires: Azure Audit Log Requires: AzureAD Requires: AzureAD Audit Log Requires: Microsoft Graph Logs Requires: Office 365 Audit Requires: Okta Requires: Okta Audit Log Requires one of the following data sources: Palo Alto Networks Firewall EAL Logs OR Palo Alto Networks Firewall threat Logs Requires one of the following data sources: Palo Alto Networks Global Protect OR Third-Party VPNs Requires: XDR Agent Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Impact (TA0040)
ATT&CK Technique	Financial Theft (T1657)
Severity	Low

A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain.

An insider threat might use their access to organizational resources for personal gain.

Check how long the user has been part of the organization.
Check if the user is about to leave the company.
Verify that the user is not part of a department that performs such activity as part of daily operations.

A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain.

An insider threat might use their access to organizational resources for personal gain.

Check how long the user has been part of the organization.
Check if the user is about to leave the company.
Verify that the user is not part of a department that performs such activity as part of daily operations.