# Insider Threat Operations (UAM/DTEX/UEBA) One-sentence definition: Coordinated monitoring, detection, and response to malicious/negligent insider behavior. ## Key Facts - Signals: data exfil (USB/cloud), anomalous access, off-hours activity, policy bypass. - Tools: UEBA, UAM/DLP, HR triggers (departures, disputes), case mgmt. - Guardrails: proportionality, privacy, documented approvals, retention limits. - Playbooks: escalate, contain (account suspension), capture evidence, interview. - Metrics: time-to-detect insider patterns; false-positive management. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Distinguish insider ops from general SOC: legal/privacy integration is key. **Mnemonic:** “**Watch** wisely, **act** lawfully.” ## Mini Scenario Q: Departing admin syncing GBs to personal cloud—first steps? A: Lock account, preserve logs/devices, involve HR/legal, review DLP. ## Revision Checklist - Two key signals. - Two guardrails. - First containment steps. ## Related [[User and Entity Behavior Analytics (UEBA) for IAM]] · [[Data Loss Prevention (DLP) Testing (Email Web Endpoint)]] · [[Incident Response Lifecycle (NIST-Style)]] · [[Access Reviews and Certification (IGA)]] · [[Domain 7 - Index]]