Performing Insider Threat Investigation When to Use - DLP (Data Loss Prevention) alerts on large data transfers to personal cloud storage or USB devices - User behavior analytics (UBA) detects anomalous access patterns for a user account - HR reports a departing employee suspected of taking proprietary information - A privileged user is observed accessing systems outside their job function - Whistleblower or coworker report alleges policy violations or data theft Do not use for external attacker investigations where compromised credentials are used without insider collusion; use standard inci…