Insider Threat Signals
When an employee is placed on an active offboarding list in People, The One Defend automatically monitors their endpoint for anomalous behavior and notifies HR if it detects signs of data exfiltration or unauthorized access.
How It Works
People and Defend are integrated at the service level. When an offboarding is initiated in People for an employee:
- People notifies Defend's internal API that this employee is entering an offboarding period
- Defend elevates monitoring priority for that employee's endpoint(s)
- Defend's behavioral AI watches for anomalies specific to data exfiltration risk:
- Large file copies to removable media or cloud storage
- Bulk downloads of company files
- Unusual access to sensitive directories outside normal work hours
- Email forwarding rule creation
- Access to systems outside the employee's normal usage patterns
- If Defend detects an anomaly above threshold, it sends an HR Flag notification to People
- People surfaces the flag to HR Managers and Admins in the Insider Threat Signals section
Viewing Signals
Insider threat signals are visible to Admin and HR Manager roles only.
Navigate to Employees → open the employee record → Insider Threat tab. You will see:
- Flag Date and Time — when Defend detected the anomaly
- Signal Type — the category of anomalous behavior (e.g., "Large File Transfer", "Unusual Access Pattern")
- Severity — Low, Medium, or High
- Description — Defend's analysis of what was observed
- Device — which endpoint triggered the alert
- Status — New, Reviewed, Escalated, or Dismissed
Responding to a Signal
Mark as Reviewed
If you have investigated and determined the activity was benign:
- Open the signal
- Add a Review Note describing your investigation
- Click Mark Reviewed
Escalate
If the activity is confirmed as a threat or requires further investigation:
- Open the signal
- Click Escalate
- Optionally create a PSA ticket for the security team
- Coordinate with your security team to preserve evidence and take appropriate action
Dismiss
If the signal is clearly a false positive with no investigation needed:
- Open the signal
- Click Dismiss
- Provide a dismissal reason
Dismissed signals are retained in the audit log.
Privacy Controls
Insider threat signals are strictly access-controlled:
| Role | Can See Signals |
|---|---|
| Admin | Yes |
| HR Manager | Yes |
| HR Staff | No |
| Manager | No |
| Viewer | No |
The offboarding employee cannot see that they are being monitored or that any signals have been generated.
Signal data includes only behavioral metadata (file access patterns, transfer volumes, timing) — Defend does not capture file contents or personal communications.
Requirements
Insider threat signals require:
- The One Defend deployed and active at your organization
- Defend agents installed on the employee's endpoint(s)
- The employee must be in an active Offboarding process in People
DEFEND_SERVICE_KEYconfigured on the People API (set during platform provisioning)
Automatic Offboarding Trigger
In addition to HR-flagging, Defend can also initiate an offboarding workflow in People automatically. This happens when Defend's threat intelligence correlates endpoint behavior with an employee identity and determines the risk level warrants immediate action.
When Defend triggers an offboarding automatically:
- An offboarding workflow is created in People
- HR is notified immediately
- The workflow is flagged as Defend-Initiated (distinguished from normal offboarding)
This capability is rare and typically reserved for active threat scenarios. Review all Defend-initiated offboarding workflows promptly.
Audit Trail
All insider threat signal activity is audit-logged:
- Signal received from Defend (timestamp, signal type, severity)
- Who viewed the signal and when
- Review, escalation, or dismissal actions with timestamps and actors
- Any notes added during investigation
This audit trail supports HR, legal, and law enforcement if escalation is required.