⚠ DLP ALERT — CONFIDENTIAL DATA MOVEMENT — MARCUS WEBB
IR-09
INSIDER THREAT INVESTIGATION
USER BEHAVIOUR · DATA EXFILTRATION · DEPARTING EMPLOYEE
Loading user activity artifacts...

OBJECTIVES

Read the investigation brief
Identify the date of the bulk data access
Find which file shares were accessed outside role
Identify the external upload destination
Find the USB device insertion event
Identify what was searched on the internal wiki
Calculate total data volume exfiltrated
Run SIEM query commands in terminal
Submit the investigation report
🚨
DLP Console
📅
User Activity
📂
File Access Audit
🔌
USB Device Log
🌐
Browser History
👤
HR Profile
💻
Terminal
📝
Notepad
📄
Investigation Report
INSIDER THREAT
DLP
Activity
File Audit
USB Log
Browser
HR Profile
Terminal
Notepad
Report
--:--:--
PHASE 1 — TRIAGE
INVESTIGATION BRIEF
⚠ CONFIDENTIAL — TICKET #HR-IR-2026-0088

INSIDER THREAT INVESTIGATION

SUBJECT: Marcus Webb · Referred by: HR Department

REFERRAL SUMMARY

HR has referred Marcus Webb (Senior Developer, 6 years tenure) to the security team for a quiet investigation. Marcus submitted his resignation 14 days ago and his last day is in 3 days. The DLP system generated alerts on May 6 related to his account. HR requests discretion — Marcus is not to be alerted to this investigation.

SUBJECT DETAILS

FieldValue
NameMarcus Webb
Usernamem.webb
DeptEngineering
TitleSenior Developer
Tenure6 years
Resignation2026-04-24
Last Day2026-05-11
ManagerRachel Okonjo

YOUR TASKS

  • Review DLP Console — identify all flagged data movement events
  • Review User Activity — check login times and access patterns
  • Review File Access Audit — identify files and shares accessed
  • Review USB Device Log — check for device insertions
  • Review Browser History — check for uploads and sensitive searches
  • Review HR Profile — understand authorised access scope
  • Complete the Investigation Report

LEGAL NOTE

This investigation is conducted under the company's Acceptable Use Policy and Employee Monitoring Policy. All findings must be documented accurately for potential legal proceedings. Do not confront or alert the subject.

DLP ALERT CONSOLE — USER: m.webb — 2026-05-06 to 2026-05-08
0 alerts
Timestamp
User
Action
Severity
Destination
Details
ALERT DETAIL
Click an alert to inspect
USER ACTIVITY LOG — m.webb — 2026-04-28 to 2026-05-08
LOGIN & ACCESS HEATMAP — Click a day to view activity log
No activity
Low
Normal
High
After hours
Anomalous
Click a day on the heatmap to view the activity log for that date.
FILE ACCESS AUDIT — m.webb — All Shares
Time
File Path
Share
Size
Operation
USB DEVICE LOG — CORP-WKSTN-MW01 — Last 30 Days
Timestamp
Device
Host
Files
Data Volume
Click a device event to see details
CHROME — CORP-WKSTN-MW01 (Forensic Read-Only Mount)
chrome://newtab
M
HR PROFILE — Marcus Webb — CONFIDENTIAL
👨‍💻
Marcus Webb
Senior Developer · Engineering
Resignation: 2026-04-24 · Last day: 2026-05-11
DEPARTING
EMPLOYMENT DETAILS
Employee IDEMP-00441
Start Date2020-03-15
ManagerRachel Okonjo
OfficeLondon HQ — Desk 4F-22
Notice Given2026-04-24
Exit Interview2026-05-09 (scheduled)
AUTHORISED ACCESS SCOPE
\\EngineeringREAD/WRITE
\\DevOpsREAD/WRITE
\\SharedREAD ONLY
\\HRNO ACCESS
\\FinanceNO ACCESS
\\ExecutiveNO ACCESS
SYSTEM ACCESS
WorkstationCORP-WKSTN-MW01
VPN AccessActive
Admin RightsLOCAL ADMIN
USB PolicyMonitor Only
SIEM QUERY TERMINAL — analyst@soc:~$
analyst@soc:~$ # SIEM query terminal — querying Splunk/QRadar indexes
analyst@soc:~$ # Type "help" for available commands
analyst@soc:~$
NOTEPAD — INVESTIGATION SCRATCHPAD
INVESTIGATION REPORT — TICKET #HR-IR-2026-0088
SUBJECT & TIMELINE
DATA ACCESS
SENSITIVE DATA TYPES
RECOMMENDED ACTIONS
Score: 0 / 8