Live Demo
Live Demo
Go Back

How To Leverage Insider Threat Analytics For Decisive Action

While organizations invest heavily in defending against external attacks, the most dangerous threats often come from within. Insider threats—malicious, negligent, or compromised—can cause devastating damage that goes undetected for months, costing companies millions in damages and lost intellectual property.

This guide explores how data-driven analytics can transform insider threat detection by examining digital footprints, monitoring behavioral patterns, and correlating activities across systems. We’ll cover: 

  • Essential metrics
  • Practical detection thresholds
  • Strategies for building an effective insider threat program that balances security with privacy concerns.

User Activity & Behavioral Analytics

User activity & behavioral analytics examine the digital footprints employees leave through their endpoint activity, providing visibility into potential insider threats through behavioral patterns. Organizations can establish baseline patterns by analyzing application usage, productivity metrics, and login behaviors and identify deviations that may signal malicious intent, compromised credentials, or employee disengagement.

These analytics create a behavioral context for understanding normal versus suspicious activities, helping security teams distinguish between routine work and potential threat indicators while respecting privacy boundaries through role-based expectations and approved workflows.

Applications & Website Usage Analytics

Key Metrics:

  • Top accessed applications/websites: Frequency and duration analysis of application and website usage across the organization, broken down by individual users, helping establish baseline usage patterns and identifying outliers that may indicate unauthorized activities
  • Time spent on unproductive sites: Comprehensive tracking of the duration spent on websites categorized as non-work-related, including job search sites, personal email, social media, and entertainment platforms, which can signal disengagement or preparation to leave
  • Access to high-risk websites or categories: Monitoring of visits to potentially dangerous web resources, including sites with malicious content, unsanctioned file sharing platforms, proxy/VPN services for anonymization, or competitors’ websites
  • Unusual application usage patterns: Identification of behavioral anomalies in application usage that deviate from established baselines, such as accessing applications not typically used in a role, using applications during unusual hours, or patterns suggesting non-human interaction

Recommended Thresholds:

  • Access to 5+ applications not used in the previous 30 days
  • More than 1.5 hours per day spent on websites categorized as unproductive
  • Any access to blacklisted or malicious websites (zero tolerance)
  • Application usage outside working hours exceeding 1 hour without approved project requirements
  • Access to internal systems/databases outside job function more than 3 times per week
  • Multiple failed access attempts to restricted applications (3+ within 24 hours)

How this data might indicate an insider threat:

  • Sudden access to applications outside job function may indicate unauthorized activities
  • Excessive time on job search websites could signal an employee planning to leave
  • Visits to high-risk or malicious websites might reveal malicious intent
  • Unusual patterns like accessing sensitive systems during off-hours could signal data theft attempts

How Teramind Helps Analyze This Data:
Teramind’s Applications & Websites report provides comprehensive analytics across three customizable tabs (Basic, Aggregated, and Categories) that track application and website usage patterns. 

The platform automatically classifies websites for security categorization and allows security teams to establish productivity profiles to identify out-of-role activity. Using the Grid Widget, analysts can quickly classify applications as productive or unproductive and investigate suspicious web access by right-clicking on any activity to initiate an investigation or view session recordings.

Productivity Metrics

Key Metrics:

  • Work time vs. idle time: Detailed ratio analysis comparing periods of active system interaction against inactive periods, which helps identify unusual patterns of system abandonment that may indicate off-system activities or disengagement
  • Productive vs. unproductive time: Comprehensive measurement of time allocation between applications and websites categorized as work-related versus non-work-related, providing insight into focus, engagement, and potential job-searching activities
  • Activity percentage: Granular measurement of user engagement during login sessions, calculated as the proportion of active vs. total session time, helping identify unusual patterns such as credential sharing or automated scripts
  • After-hours activity: Systematic monitoring of work performed outside defined business hours, including overnight activities, weekend access, and holiday operations, which may indicate unauthorized access or data exfiltration attempts when oversight is reduced

Recommended Thresholds:

  • Work time/idle time ratio falling below department average
  • Productivity decrease of 30%+ compared to 30-day rolling average
  • Activity percentage below 50% during core business hours
  • After-hours system access exceeding 5 hours per week without project justification
  • Idle periods exceeding 30 minutes more than 5 times per day (potential off-system activity)
  • Weekend activity without approved projects or on-call responsibility

How this data might indicate an insider threat:

  • Abnormal idle time patterns might signal an employee who’s disengaged or conducting activities off-system
  • Sudden drops in productivity could indicate distraction with non-work activities like job hunting
  • After-hours activity outside normal project deadlines may represent unauthorized access
  • Unusual work patterns (like sporadic short logins) could indicate credential sharing or unauthorized access

How Teramind Helps Analyze This Data:
Teramind’s Productivity report offers detailed visibility into work patterns across three specialized tabs (Basic, Departments, and Tasks). The platform automatically calculates critical metrics, including work time, idle time, active time, and productivity percentages. Visual charts display top employees by various work metrics, allowing security teams to spot productivity anomalies instantly. 

The system tracks tasks and login sessions, enabling analysts to identify unusual work patterns or after-hours activities that might indicate insider threats. Time-based heatmaps also help visualize activity patterns across different time periods to identify suspicious work behaviors.

Login Session Analysis

Key Metrics:

  • Login/logout times and duration: Comprehensive logging of system access events including precise timestamps for session initiation and termination, total connected time, and patterns of short, repeated logins that may indicate unusual access behavior
  • Session count by time period: Quantitative analysis of login frequency across different timeframes (hourly, daily, weekly), with comparison against historical baselines and peer groups to identify anomalous authentication patterns
  • Source computers and IPs: Detailed tracking of device identifiers and network addresses used for system access, including correlation between multiple access points and identification of unregistered or unauthorized connection sources
  • Geographic location of logins: Mapping of physical locations from which users are accessing systems using IP geolocation and GPS data when available, enabling identification of impossible travel scenarios, unauthorized remote access, or access from high-risk territories

Recommended Thresholds:

  • Any login outside approved work locations (office, home, approved remote sites)
  • Login attempts during scheduled PTO or sick leave
  • Multiple concurrent active sessions (2+ simultaneous logins)
  • Login velocity exceeding physical travel possibilities (impossible travel scenarios)
  • Session durations outside normal patterns (>2 standard deviations from user baseline)
  • Failed login attempts exceeding 5 within 15 minutes
  • Login patterns showing access at unusual hours (2 am-4 am) more than twice monthly

How this data might indicate an insider threat:

  • Login activities outside normal working hours could signal unauthorized access attempts
  • Multiple concurrent sessions might indicate credential sharing or account compromise
  • Login attempts from unusual geographic locations can reveal unauthorized remote access
  • Pattern of failed logins followed by successful access might indicate brute force attacks or credential theft

How Teramind Helps Analyze This Data:
Teramind’s Login Sessions report maintains an immutable log of all user sessions with detailed charts tracking login activities by computer, IP address, employee, and time period. The system records successful and failed login attempts, creating a comprehensive audit trail for security investigations. 

Geographic data is automatically captured, enabling security teams to identify impossible travel scenarios or logins from unauthorized locations. The Grid Widget displays complete session details including timestamps, source IPs, and duration, with contextual menu options to investigate suspicious login patterns or view the corresponding session recordings.

Data Movement & Information Security Analytics

This section focuses on tracking and analyzing how information flows within and beyond organizational boundaries, addressing the core concern in insider threat programs: data protection. Organizations can detect potential data exfiltration attempts at various stages through comprehensive monitoring of file operations, web transfers, email communications, and physical document handling.

These analytics enable security teams to identify suspicious patterns like bulk downloading, unauthorized transfers to external media, anomalous sharing with external parties, or systematic collection of sensitive information, providing early warning of potential intellectual property theft, customer data breaches, or competitive intelligence gathering.

File Event Monitoring

Key Metrics:

  • File access patterns: Comprehensive monitoring of which files are being accessed by which users, including frequency, timing, and access methods, with particular attention to sensitive repositories and unusual access sequences that might indicate reconnaissance
  • File operations: Detailed tracking of specific actions performed on files, including creation, modification, deletion, and copying, with volume and timing analysis to detect mass operations that might indicate data gathering or covering tracks
  • External device usage: Systematic logging of file transfers to removable media such as USB drives, external hard disks, or other portable storage, including device identifiers, file types, and transfer volumes that could signal physical data exfiltration
  • Sensitive document access: Targeted monitoring of interactions with confidential, proprietary, or restricted files based on location, classification, or content, with emphasis on unusual access patterns, especially for users with recent status changes or departure notices

Recommended Thresholds:

  • Bulk file operations (>20 files in a single session)
  • File access volume exceeding 150% of 30-day user average
  • Access to sensitive files outside approved project assignments
  • File transfers to external media exceeding 100MB without authorization
  • More than 10 files accessed from sensitive repositories within an hour
  • File access patterns showing systematic exploration of directories (potential reconnaissance)
  • Repeated access to the same sensitive files within short periods (potential exfiltration preparation)

How this data might indicate an insider threat:

  • Mass downloading or copying of files may signal data exfiltration attempts
  • Access to files unrelated to job function could indicate unauthorized curiosity or espionage
  • Repeated use of external drives or cloud storage may reveal data theft preparation
  • Unusual access to sensitive repositories, especially after resignation notice, could indicate intellectual property theft

How Teramind Helps Analyze This Data:

Teramind’s File Events report monitors all file activities across local drives, external media, network locations, and cloud storage. The system captures granular details on file operations, including access, creation, modification, deletion, copying, and transfers. Timeline charts visualize file activity volumes by event type, making it easy to spot unusual spikes or patterns. 

Security teams can filter activities by file extension, enabling focused monitoring of sensitive document types. The detailed Grid Widget allows investigators to examine specific file operations with context, and right-click options provide direct access to investigate users or view session recordings of suspicious file activities.

Web File Events Analytics

Key Metrics:

  • Upload/download volumes: Quantitative measurement of file transfer sizes and counts through web browsers and cloud applications, including trend analysis to identify unusual spikes or gradual increases in outbound data that might indicate systematic collection
  • Cloud sync activities: Monitoring of file synchronization operations with cloud storage services such as Dropbox, Google Drive, OneDrive, and Box, including detection of newly installed sync clients, configuration changes, or unusual sync patterns
  • File types transferred: Classification and analysis of the types of files being moved via web channels, with special attention to sensitive formats like databases, source code, CAD files, and documents containing intellectual property or customer information
  • Destination domains: Identification and categorization of websites and services receiving uploaded files or serving downloads, with risk scoring based on business relevance, reputation, and previous usage patterns across the organization

Recommended Thresholds:

  • Uploads to personal storage sites (Dropbox, Google Drive) exceeding 50MB weekly
  • Downloads exceeding 500MB in a single day (without business justification)
  • More than 10 file uploads to external domains in a day
  • Transfer to unapproved cloud services or personal email domains (zero tolerance)
  • Upload/download ratio change of 70%+ from established baseline
  • Cumulative transfers to same external domain exceeding 1GB monthly
  • File transfers outside regular working hours exceeding 100MB weekly

How this data might indicate an insider threat:

  • Uploading company files to personal cloud storage may indicate intentional data exfiltration
  • Unusual spikes in download/upload activity could signal automated or mass collection efforts
  • Transfer of sensitive file types (confidential documents, databases, source code) to external sites may represent IP theft
  • Pattern of small, regular uploads might indicate ongoing data leakage or espionage activity

How Teramind Helps Analyze This Data:
Teramind’s Web File Events report provides specialized monitoring of web-based file transfers across two detailed tabs (Basic and Details). The platform tracks uploads, downloads, and cloud synchronization activities with timestamps and complete metadata. Charts display transfer volumes by time period and identify top domains involved in file transfers. 

The Details tab offers additional visualizations, including size-based analysis and hourly heatmaps to identify suspicious timing patterns. The system automatically categorizes websites, helping teams quickly identify transfers to potentially risky destinations. The comprehensive Grid Widget lets investigators correlate file transfers with user activity, website categories, and security classifications.

Email Analytics

Key Metrics:

  • Email volume patterns: Comprehensive analysis of message frequency, timing, and quantity over time, including deviation detection from established baselines that might indicate bulk collection or unusual communications campaigns
  • Attachment analysis: Detailed examination of files attached to emails including types, sizes, naming patterns, and embedded content, with particular focus on sensitive data formats, encrypted containers, or unusual encoding that might indicate concealment attempts
  • External communications: Monitoring of messages exchanged with recipients outside the organization’s domain, including categorization by external domain type (personal email, competitor, industry partner) and behavioral analysis of communication patterns
  • Recipient patterns: Identification of which individuals or groups are receiving communications containing sensitive information, with relationship mapping to detect unusual distribution patterns, new external contacts, or communication with former employees or competitors

Recommended Thresholds:

  • Emails to personal accounts or non-corporate domains exceeding 5 per week
  • Attachment volume greater than 25MB to external recipients without approval
  • Sending more than 20 emails with attachments in a single day (potential bulk exfiltration)
  • Email distribution to competitors or job-related domains (zero tolerance)
  • Attachments containing sensitive file types (.db, .sql, source code) to external recipients
  • Emails sent during non-business hours exceeding 10% of total volume
  • Email forwarding rules to external domains (zero tolerance)

How this data might indicate an insider threat:

  • Emails to competitors or personal accounts with company attachments often signal data theft
  • Sudden increase in emails with attachments, especially before resignation, could indicate data harvesting
  • Unusual timing of emails (late night, weekends) with sensitive content may represent covert activity
  • Using encryption or password-protected attachments for non-sensitive content could indicate attempts to hide data theft

How Teramind Helps Analyze This Data:

Teramind’s Emails report offers comprehensive email monitoring across multiple tabs including Basic, Attachments, Destinations, and Sources. The system captures both incoming and outgoing messages with complete metadata and content access. Visualizations display email volumes, attachment statistics, and communication patterns by domain. 

Attachment heatmaps help identify unusual timing patterns in file transfers via email. The platform enables security teams to view, save, and print email contents directly through the interface, including downloading and examining attachments. The powerful Grid Widget can be grouped by various parameters including sender, recipient, attachments, or domains to identify patterns across different dimensions of email activity.

Printing Activity Analysis

Key Metrics:

  • Print volume: Quantitative measurement of printed pages and documents over time, with trend analysis comparing against historical baselines and peer groups to identify unusual printing activities that might indicate physical data exfiltration
  • Document types: Classification and content analysis of printed materials to identify sensitive documents, including intellectual property, customer information, strategic plans, or other confidential resources being converted to physical form
  • Timing patterns: Temporal analysis of when printing occurs, with special attention to after-hours, weekend, or holiday printing that avoids observation, particularly when combined with abnormal office presence or access
  • User printing behavior: Individual-level analysis of printing habits including preferred printers, typical volume, document types, and timing, enabling the detection of behavioral anomalies such as printing spikes before resignation or accessing printers in unauthorized areas

Recommended Thresholds:

  • Print volume exceeding 150% of user’s 30-day average
  • Printing more than 100 pages in a single day without business justification
  • Printing sensitive or restricted documents without authorization
  • After-hours printing activities (outside 7am-7pm) exceeding 25 pages weekly
  • Printing patterns showing regular small batches (potentially avoiding detection thresholds)
  • Print jobs sent to non-standard or personal printers
  • Printing from unauthorized applications or restricted documents

How this data might indicate an insider threat:

  • Excessive printing, especially of sensitive documents, may indicate an analog exfiltration method
  • After-hours printing activity could represent attempts to avoid detection
  • Printing documents unrelated to current projects may signal unauthorized information gathering
  • Pattern of printing sensitive materials before employee resignation could indicate planned theft

How Teramind Helps Analyze This Data:
Teramind’s Printing report captures all document printing activities with detailed metadata on timing, content, and volume. The system tracks print jobs sent to both local and network printers, maintaining records of document names, page counts, and copies made. Timeline charts visualize printing volumes over time, making unusual spikes immediately apparent. Hourly heatmaps reveal suspicious timing patterns such as after-hours printing. 

The interface allows security teams to view the actual content of printed documents, with options to re-print or save copies as PDF files for evidence preservation. The Grid Widget enables sorting and filtering by various parameters including document name, printer, and sensitivity to focus on high-risk printing activities.

Communication & Collaboration Analytics

This section examines the human connections and information exchanges that may reveal insider threat indicators through communication channels. By monitoring instant messaging, social media activities, and virtual meetings, organizations can detect inappropriate information sharing, external collusion, or expressions of disgruntlement that often precede malicious actions. 

These analytics help identify suspicious communications patterns such as increasing contact with competitors, sharing of sensitive information through unofficial channels, or concerning workplace sentiments that might signal insider risk, while also detecting potential recruitment attempts by external threat actors targeting employees with privileged access.

Instant Messaging Analysis

Key Metrics:

  • Message frequency: Detailed analysis of instant message volume, timing, and cadence across different messaging platforms, including identification of unusual spikes, after-hours communications, or conversations intensifying around critical business events
  • External contacts: Monitoring of communications with individuals outside the organization via messaging platforms, including identification of unauthorized external channels, communications with competitors, or suspicious contact patterns with unknown entities
  • Content analysis: Systematic evaluation of message content for sensitive terms, proprietary information, security discussions, expressions of discontent, or other high-risk communications that might indicate insider threat motivations or activities
  • File sharing activity: Tracking of documents and files transferred through messaging channels, which often bypass email security controls and logging systems, including analysis of file types, volumes, and whether sensitive content is being shared inappropriately

Recommended Thresholds:

  • External message volume exceeding 25% of overall communications
  • Instant messages containing restricted keywords (3+ occurrences)
  • File transfers via messaging platforms exceeding 50MB weekly
  • Communications with external domains not on approved vendor/client lists
  • Messages sent during non-business hours exceeding 15% of total volume
  • Encrypted or self-destructing messages (on platforms supporting these features)
  • Communications with former employees within 90 days of their departure

How this data might indicate an insider threat:

  • Sudden increase in communication with external parties could signal data sharing or job searching
  • Discussions containing sensitive terms, project names, or intellectual property might reveal unauthorized disclosure
  • Using messaging platforms for file transfers might indicate attempts to bypass email monitoring
  • Unusual timing or frequency of messages could represent covert communications or side channel activities

How Teramind Helps Analyze This Data:
Teramind’s Instant Messages report monitors communications across multiple chat platforms including web-based and desktop applications. The system captures message content, direction (incoming/outgoing), participants, and any shared files or attachments. Pre-configured tabs for Basic analysis and Attachments provide specialized views for different security focuses. 

Visual charts display messaging volumes, participant statistics, and keyword frequencies. Security teams can access the full message content and download any attachments for inspection. The platform can track communications across popular platforms like Slack, Microsoft Teams, and Google Chat, giving complete visibility into messaging channels that might be used for unauthorized data sharing.

Social Media Monitoring

Key Metrics:

  • Platform usage: Comprehensive tracking of which social networks and platforms are being accessed during work hours, including identification of blocked or high-risk sites being accessed through circumvention methods
  • Time allocation: Detailed measurement of duration spent on various social media platforms during business hours, with trend analysis to identify increasing usage patterns that might indicate disengagement or preparation to leave
  • Content interaction: Monitoring of posts, comments, messages, and engagement activities performed on social platforms, with content analysis for proprietary information, company mentions, competitor interactions, or expressions of workplace dissatisfaction
  • Topic analysis: Systematic evaluation of subjects discussed or searched on social platforms, with particular attention to job searching, competitive information, security bypassing techniques, or other high-risk topics that might indicate insider threat intent

Recommended Thresholds:

  • Social media usage exceeding 1 hour per workday
  • Posts or messages containing company-sensitive terms
  • Connections to competitor companies or their employees
  • Social media activity during work hours exceeding 10% of productive time
  • Recruitment-related interactions on professional networks (50%+ increase)
  • Posts expressing workplace dissatisfaction or grievances
  • Sharing of internal company information or photos (zero tolerance)

How this data might indicate an insider threat:

  • Sharing company information on social platforms could indicate poor security awareness or intentional disclosure
  • Excessive use of social media during work hours might signal disengagement or reduced loyalty
  • Connections with competitors or suspicious profiles could represent recruitment for insider activities
  • Social media posts expressing workplace grievances may indicate a disgruntled employee at risk for harmful actions

How Teramind Helps Analyze This Data:
Teramind’s Social Media report captures activities across popular social platforms, tracking posts, comments, edits, and other interactions. The system records the content of social media messages along with timestamps and platform details. Timeline charts visualize activity volumes while keyword tracking identifies potential sensitive information sharing. 

The platform can detect various social media actions including posting, commenting, and message sending. The comprehensive Grid Widget displays the actual content of social media messages, allowing security teams to review communications for potential data leakage or expressions of workplace grievances that might indicate insider threat risk factors.

Online Meetings Analytics

Key Metrics:

  • Participant tracking: Detailed logging of all attendees in virtual meetings and conferences, including internal and external participants, with identification of unauthorized external participants or attendance patterns showing suspicious external communications
  • Duration patterns: Analysis of meeting length and frequency across different meeting types and participants, with comparison against business justifications and historical patterns to identify unusual communication channels
  • Content sharing: Monitoring of screen sharing, document presentation, and collaborative editing during meetings, with focus on sensitive information exposure to external participants or unauthorized data sharing outside approved channels
  • External participation: Comprehensive tracking of non-employee attendance in virtual meetings, including detailed identification of external domains, participant verification, and analysis of meeting patterns with external entities, particularly competitors or former employees

Recommended Thresholds:

  • Meetings with external participants without calendar visibility (hidden meetings)
  • Screen sharing of sensitive documents to external participants (zero tolerance without approval)
  • Unauthorized recording of internal meetings
  • Meeting patterns with external participants exceeding historical norms by 50%+
  • Meetings with competitors or former employees (zero tolerance without compliance approval)
  • Unscheduled or ad-hoc meetings with external participants exceeding 3 per week
  • Meetings scheduled outside business hours with external participants

How this data might indicate an insider threat:

  • Unscheduled or unauthorized meetings with external participants could indicate illicit information sharing
  • Screen sharing of sensitive documents during external meetings may reveal intentional data exposure
  • Pattern of one-on-one meetings with outside individuals might signal recruitment or collusion
  • Meetings with competitors or former employees could represent inappropriate business relationships

How Teramind Helps Analyze This Data:
Teramind’s Online Meetings report provides visibility into video conferencing and collaboration platforms like Zoom, Webex, and Microsoft Teams. The system captures meeting metadata including participants, duration, and content shared. For organizations with appropriate configurations, Teramind can record screen content during meetings to review information shared visually. 

The platform logs participant details including external attendees, enabling security teams to identify meetings with unauthorized parties. Integrated with screen recording capabilities, analysts can review meeting content when suspicious patterns are detected. Meeting titles and participant information are captured to help identify potentially inappropriate external communications.

Technical Activity & Advanced Analytics

This section delves into sophisticated monitoring of technical indicators that may reveal insider threats operating at deeper system levels. Through analysis of keystroke patterns, command-line activities, network traffic, and search behaviors, security teams can detect advanced techniques used by technically proficient insiders attempting to conceal their actions. 

These analytics help identify potential security bypassing attempts, reconnaissance activities, covert communication channels, or technical preparations for data theft that might not be visible through standard monitoring, providing critical visibility into sophisticated insider threats that leverage technical knowledge to avoid detection.

Keystroke Analytics

Key Metrics:

  • Typing patterns: Detailed analysis of keyboard input volume, speed, rhythm, and timing across different applications and contexts, enabling the detection of unusual typing behaviors that may indicate different users or automated processes
  • Command sequences: Monitoring of special key combinations, shortcuts, and command patterns used across applications, with particular attention to administrative operations, security bypassing techniques, or rapid scripted sequences
  • Password activity: Tracking frequency, context, and patterns of credential entries across various systems and applications, helping identify potential credential harvesting, unauthorized authentication attempts, or password sharing
  • Data entry content: Context-aware monitoring of sensitive information being typed, such as customer data, intellectual property, or security credentials, with particular focus on unauthorized contexts or suspicious data entry patterns that could indicate data collection

Recommended Thresholds:

  • Credential entry in non-standard applications (potential harvesting)
  • Copy-paste operations involving sensitive data exceeding 20 instances daily
  • Typing speed pattern deviations exceeding 40% from baseline (potential different user)
  • Keyboard usage patterns showing unusual hours (2am-4am) without project justification
  • Copy-paste of more than 1,000 characters from sensitive documents
  • Special key combinations (Ctrl+A, Ctrl+C, Ctrl+V) used repeatedly on sensitive documents
  • Typing patterns showing programming commands in non-development roles

How this data might indicate an insider threat:

  • Unusual keystroke patterns might indicate someone other than the regular user is operating the system
  • Frequent copy-paste operations of sensitive data could signal collection efforts prior to exfiltration
  • Patterns showing password typing in unauthorized applications may indicate credential harvesting
  • Quick command sequences could reveal use of scripts or automated tools for malicious purposes

How Teramind Helps Analyze This Data:
Teramind’s Keystrokes report captures detailed keyboard input across applications with specialized tracking for regular typing, commands, and special key combinations. The system maintains charts showing word and character counts along with typing pattern analysis. Teramind can monitor for sensitive data entry patterns while respecting privacy requirements when configured with appropriate security controls and compliance guidelines. 

For enhanced security environments, end-to-end encryption is available with decryption controls for authorized investigations. The detailed Grid Widget displays keystroke content with application context, enabling security teams to identify potential credential harvesting, unauthorized commands, or sensitive data exfiltration via keyboard input.

Console Commands Monitoring

Key Metrics:

  • Command types: Comprehensive classification of console operations being executed, including system queries, configuration changes, file operations, network commands, and scripting activities, with risk scoring based on potential impact
  • Privileged operations: Monitoring of administrative or root-level command usage, with detailed logging of elevated privilege operations, particularly from accounts or users who don’t typically require such access
  • Script execution: Tracking of batch files, shell scripts, PowerShell, Python, or other automation mechanisms, including script sources, content analysis, and execution patterns that might indicate automated attacks or data collection
  • System modifications: Detailed logging of changes to system configurations, security settings, scheduled tasks, or registry modifications, with particular focus on changes that affect logging, monitoring, or security controls

Recommended Thresholds:

  • Any use of administrative commands by non-IT personnel
  • Commands accessing log files or security configurations (by unauthorized users)
  • More than 3 scripting activities by non-developer personnel
  • Command patterns showing system discovery activities (network scanning, user enumeration)
  • Use of powershell, bash, or command prompt by business users exceeding 5 instances weekly
  • Commands modifying firewall, registry or security settings (zero tolerance for unauthorized users)
  • Installation of unapproved software or utilities, particularly remote access tools

How this data might indicate an insider threat:

  • Use of administrative commands by regular users could indicate privilege escalation attempts
  • Commands that access, modify, or delete security logs might signal covering of tracks
  • Execution of data extraction or system manipulation scripts could reveal malicious activities
  • Commands that disable security tools or modify system configurations may indicate preparation for attack

How Teramind Helps Analyze This Data:
Teramind’s Console Commands report offers specialized monitoring of command line interfaces, terminals, and scripting environments. The system captures the full command text, execution timestamp, and the executable that processed the command. Charts display command volumes over time and identify top commands across the organization. 

This monitoring is particularly valuable for privileged users who have system-level access capabilities. The detailed Grid Widget shows complete command strings with user context, enabling security teams to identify potentially dangerous operations including security control modifications, log manipulation, or unauthorized system access attempts. Right-click investigation options allow analysts to quickly review the user’s session recording for additional context.

Network Traffic Analysis

Key Metrics:

  • Data transfer volumes: Quantitative measurement of information flowing across networks, broken down by direction (inbound/outbound), protocol, and application, with trend analysis to identify unusual data movement that might indicate exfiltration
  • Connection destinations: Comprehensive logging of external servers, services, and IP addresses being accessed, including geolocation information, reputation analysis, and business relevance scoring to identify potentially unauthorized destinations
  • Protocol utilization: Analysis of network communication protocols in use, including detection of tunneling, encryption, or obfuscation techniques that might indicate attempts to hide communications or bypass security controls
  • Traffic patterns: Temporal analysis of network communications timing, frequency, and consistency, helping identify suspicious patterns such as beaconing, regular small data transfers, after-hours communications, or other anomalies that suggest covert channels

Recommended Thresholds:

  • Data transfers to external destinations exceeding 250MB daily without business justification
  • Connections to non-whitelisted IP addresses or domains exceeding 10 per day
  • Use of non-standard ports or protocols for regular web traffic
  • Data upload/download ratio exceeding 2:1 (significantly more uploads than downloads)
  • Consistent small data transfers (50-100KB) at regular intervals (potential beaconing)
  • Network connections established during off-hours exceeding 5% of total connections
  • Encrypted traffic to unclassified destinations exceeding 100MB weekly

How this data might indicate an insider threat:

  • Connections to unauthorized external servers could indicate command-and-control activity
  • Unusually large data transfers, especially to external sites, may represent data exfiltration
  • Use of tunneling protocols or encrypted connections to unusual destinations could signal covert channels
  • Periodic, small data transfers to the same destination might indicate ongoing espionage activity

How Teramind Helps Analyze This Data:
Teramind’s Network Monitoring report tracks all network connections with details on source/destination IPs, ports, protocols, and data volumes. The system captures host information when available, helping identify specific external services being accessed. Charts display outgoing and incoming traffic patterns with detailed bandwidth consumption metrics. 

The platform can categorize traffic by protocol and application, making it easier to identify unauthorized or suspicious connections. The comprehensive Grid Widget shows individual connection details including bytes sent and received, enabling security teams to identify potential data exfiltration channels or command-and-control connections that wouldn’t be visible through standard application monitoring.

Search Behavior Analysis

Key Metrics:

  • Search terms: Detailed capture and analysis of keywords and phrases entered into search engines, with categorization by risk level and monitoring for sensitive terms related to the company, security bypassing, data exfiltration methods, or competitor research
  • Search context: Evaluation of the platforms and websites used for searching, including deep analysis of specialized search platforms that might indicate specific technical research, job hunting, or other high-risk search activities
  • Query patterns: Temporal and frequency analysis of search behaviors including timing, volume, and topic progression, helping identify research campaigns that might indicate preparation for malicious actions
  • Topic categories: Classification of searched information into risk-relevant groupings such as competitor research, job hunting, security evasion, destructive techniques, or sensitive company information that the specific user should not research

Recommended Thresholds:

  • Searches for security bypass techniques (zero tolerance)
  • Job search activities exceeding 30 minutes per workday
  • Searches for sensitive company information outside job scope
  • Research on competitors exceeding 1 hour daily (for non-sales/marketing roles)
  • Searches for data extraction, wiping, or concealment tools (zero tolerance)
  • Multiple searches (5+) for company security policies or controls within short timeframes
  • Searches related to file encryption or secure file deletion tools

How this data might indicate an insider threat:

  • Searches for sensitive internal projects or information outside one’s scope may indicate unauthorized curiosity
  • Queries for destructive tools or techniques (data wiping, system hacking) could signal harmful intentions
  • Frequent searches for competitors or job opportunities might reveal an employee planning to leave
  • Research on security bypassing, encryption, or covert channels could indicate preparation for malicious actions

How Teramind Helps Analyze This Data:
Teramind’s Searches report captures user queries across search engines and platforms including Google, Bing, YouTube, and ChatGPT. The system records complete search phrases with timestamps and the sites where searches were performed. Visual charts display search volumes, top search terms, and user search frequencies. 

The platform can identify potentially concerning search patterns related to security bypassing, data exfiltration methods, or competing employment opportunities. The detailed Grid Widget shows the exact search phrases entered, enabling security teams to identify research activities that might indicate preparation for malicious actions or employees looking to leave the organization with sensitive information.

Risk Assessment & Response Framework

This section addresses the critical processes of evaluating risk signals, prioritizing investigations, and developing appropriate responses to potential insider threats. Through alerts analysis, audit trail investigation, and integrated threat correlation, organizations can assess the severity of insider risk indicators and determine appropriate actions. 

This framework helps security teams move from detection to response by establishing risk scoring methodologies, investigation workflows, and incident management processes that balance security imperatives with privacy considerations and legal requirements, ensuring proportional and defensible responses to potential insider threats across the threat spectrum.

Behavior Alerts Analysis

Key Metrics:

  • Alert frequency: Quantitative measurement of security rule violations over time, with trend analysis and anomaly detection to identify unusual patterns or escalations that might indicate progression from exploratory to focused malicious activities
  • Rule violation types: Classification and categorization of specific policy breaches detected, with correlation analysis to identify connected behaviors that collectively represent more significant threats than individual violations
  • User risk scores: Algorithmic calculation of threat levels for individual employees based on multiple weighted factors including alert history, access patterns, behavioral anomalies, and HR-related risk factors, providing a quantified approach to threat prioritization
  • Anomaly detection: Advanced pattern analysis using machine learning and statistical techniques to identify unusual behaviors that may not violate specific rules but represent significant deviations from established baselines, often revealing sophisticated threats

Recommended Thresholds:

  • Risk score increase of 30%+ over a 30-day period
  • More than 3 policy violations of the same type within a week
  • Multiple policy violations across different categories within 24 hours
  • Alert patterns showing escalation in severity over time
  • Rule violations occurring repeatedly during non-business hours
  • Behavioral alerts triggered across multiple monitoring systems
  • Alert frequency exceeding department average by 200%

How this data might indicate an insider threat:

  • Repeated policy violations may signal an employee who disregards security practices
  • Escalating risk scores could indicate progression from accidental to intentional violations
  • Clusters of alerts around specific time periods might reveal planned malicious activity
  • Multiple alert types triggered by the same user often indicates concerning behavior patterns

How Teramind Helps Analyze This Data:
Teramind’s Behavior Alerts report provides comprehensive monitoring of policy violations across two powerful tabs: Basic and Risks. The system processes both rule-based alerts and anomaly detections, assigning risk scores and categorizing by tags. Visual charts display alert volumes over time, employee risk rankings, and alert heatmaps to identify temporal patterns. 

The Risk tab enables organization-wide threat assessment with specialized visualizations for risk trends, threat heatmaps, and comparative analytics across departments. The platform allows security teams to investigate alerts directly from the interface, with options to view user activities, session recordings, and alert details. Configurable rule tags and risk thresholds enable customized risk assessment frameworks aligned with organizational security policies.

Audit Trail Investigation

Key Metrics:

  • Security configuration changes: Comprehensive tracking of modifications to security settings throughout the environment, including logging mechanisms, access controls, authentication requirements, network security, and endpoint protection settings
  • Permission alterations: Detailed logging of changes to access rights, privileges, role assignments, and security group memberships, with particular focus on privilege escalation, unauthorized permission grants, or suspicious access expansions
  • Administrative actions: Monitoring of system management and configuration activities performed by privileged accounts, with analysis of typical vs. atypical administrative behaviors and identification of unauthorized administrative operations
  • Security control interactions: Systematic logging of all engagement with monitoring and protection systems including security appliances, antivirus, DLP, EDR, and SIEM platforms, with emphasis on attempts to modify, disable, or circumvent these controls

Recommended Thresholds:

  • Any attempt to disable security tools or monitoring software (zero tolerance)
  • Access to security logs by non-security personnel
  • Permission changes affecting more than 5 users in a single day
  • Security configuration changes outside of approved change management process
  • Abnormal access to administrative interfaces (for non-admin users)
  • Multiple failed attempts to access security settings (3+ in a day)
  • Modifications to audit logging parameters or security policies

How this data might indicate an insider threat:

  • Changes to security settings or user permissions could signal preparation for malicious activities
  • Access to audit logs might indicate attempts to identify monitoring capabilities or cover tracks
  • Attempts to disable security controls often precede data theft or other malicious actions
  • Unauthorized administrative actions may reveal privilege abuse or account compromise

How Teramind Helps Analyze This Data:
Teramind’s Audit report maintains a comprehensive log of all administrative and security actions within the system. This immutable trail captures user activity including logins, logouts, configuration changes, and security modifications. The system records the specific actions taken, objects affected, and users responsible for each change. 

Unlike standard system logs, Teramind’s audit capabilities include extensive filtering and correlation features to identify suspicious patterns. The detailed Grid Widget shows action types, object types, and descriptions for each event, enabling security teams to investigate potential security control tampering, unauthorized permission changes, or suspicious administrative activities that might indicate insider threats operating at privileged levels.

Integrated Threat Analysis

Key Metrics:

  • Multi-indicator correlation: Sophisticated analysis of relationships between different alert types and security events across disparate systems and time periods, enabling the detection of complex threat patterns that isolated monitoring approaches would miss
  • Temporal activity patterns: Chronological sequence analysis of user actions and system events to identify recognizable attack patterns, preparation sequences, or the progressive stages of insider threat scenarios from initial exploration to active exfiltration
  • Behavior baseline deviations: Advanced comparative analysis of current user activities against established historical patterns, peer group behaviors, and role-based expectations, calibrated to detect subtle changes that might indicate compromise or malicious intent
  • Risk trending: Longitudinal analysis of threat indicators over extended time periods, enabling identification of gradual behavioral changes, slowly escalating risk profiles, or the influence of external factors like organizational changes or personal circumstances on potential insider threats

Recommended Thresholds:

  • Multiple indicators from different categories triggered within the same week
  • Sequential progression through known attack patterns (reconnaissance → collection → exfiltration)
  • Risk score trend increasing for 3+ consecutive weeks
  • Behavior deviations occurring within 30 days of significant employment events (performance reviews, reorganizations)
  • Cluster of 5+ medium-severity indicators within a two-week period
  • Combination of technical and behavioral indicators within same timeframe
  • Activity patterns showing distinct changes after organizational announcements

How this data might indicate an insider threat:

  • Correlation between different risk indicators often confirms intentional rather than accidental behavior
  • Progression of activities following a recognizable threat pattern may signal a planned attack
  • Subtle deviations across multiple behaviors might reveal sophisticated insider threats
  • Trending risk indicators can identify employees becoming increasingly disgruntled or compromised

How Teramind Helps Analyze This Data:
Teramind’s integrated analytics capabilities enable cross-correlation of threat indicators across multiple monitoring dimensions. The platform allows security teams to create custom BI reports that combine data from different sources like application usage, file activities, communications, and alerts. 

Visual charts can display risk trends over time, helping identify escalating threat patterns. Custom widgets can be configured to highlight composite risk indicators based on organization-specific threat models. 

The system’s ability to connect related events across different monitoring dimensions enables holistic threat analysis that would be impossible with siloed security tools. This integrated approach helps security teams identify subtle threat patterns that might not trigger alerts in any single category but collectively represent significant insider threat risk.

Author
Picture of Carlos Catalan
Carlos Catalan

Try Teramind's Live Demo

Try Teramind’s live demo to see our insider threat detection, productivity monitoring, employe monitoring, data loss prevention, and other features in action (no email required).

Explore Live Demo
Table of Contents

Start your Teramind Experience

Manage insider risk, optimize productivity, and enforce compliance with Teramind.

Solutions

Cybersecurity

Productivity

Features

Learn More

Company

Partners

Support

Login

cropped-logo-1-1-qo81i96whjrac2nn4i5uraafzn2uq4fftzy19ec4oc
  • Teramind • 525 Randall Ave Ste 100, PMB 491 • Cheyenne, WY 82001 USA
  • © 2014-2025 Teramind Inc.