Code Room
On-callHard
Question
A UEBA alert flags a customer-support employee whose account, over the past two weeks, accessed ~4,000 distinct customer profiles via the internal admin tool — versus a peer-team baseline of ~50/week — including high-profile and VIP accounts unrelated to any assigned tickets. Access happened mostly outside their shift hours, and several lookups have no associated support case. The employee is active and unaware of the alert. HR notes they recently gave notice and leave in 5 days. How do you triage, contain, and remediate this suspected insider threat?
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.