A synthetic, investigator-centered insider risk and behavioral analytics lab focused on Structured Query Language (SQL)-driven detections, timeline reconstruction, entity correlation, and explainable investigative workflows.
The project simulates insider risk, Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), Data Loss Protection (DLP), and Security, Orchestration, Automation, and Response (SOAR)-style investigative operations using deterministic synthetic telemetry and lightweight analyst tooling.
- Why This Project Exists
- Architecture Overview
- Tech Stack
- Quick Start
- Exploration Tip
- Repository Structure
- Screenshots
- Generated Telemetry
- Dectection Coverage
- Streamlit Workbench
- Design Principles
- Core Capabilities
- Non-goals
- Ethical and Synthetic-Use Disclaimer
Modern insider risk teams need investigators who can move between human context and technical telemetry. This lab demonstrates that transition:
- Generate deterministic synthetic telemetry.
- Write and inspect SQL detections.
- Triage alerts with false-positive considerations.
- Reconstruct user timelines across authorization, Virtual Private Network (VPN), endpoint, file, USB, and privilege events.
- Compare behavior against peers.
- Simulate case management and SOAR-style workflow states without real integrations.
All telemetry and identities in this project are synthetic and generated for educational purposes.
flowchart LR
A["Synthetic telemetry generation<br/>Python scripts"]
A --> B["SQLite database<br/>users, auth, VPN, endpoint, file, USB"]
B --> C["Detection and analysis<br/>SQL + Pandas"]
C --> D["Streamlit investigation workbench<br/>dashboard, alerts, timelines, cases"]
D --> E["Entity relationship graph<br/>NetworkX + PyVis"]
D --> F["SOAR-style workflow simulation<br/>assign, escalate, close, export"]
- Python
- SQLite
- SQLAlchemy
- Streamlit
- Pandas
- NetworkX
- PyVis
- Faker
- Pytest
python3 -m venv .venv
. .venv/bin/activate
python -m pip install -r requirements.txt
python scripts/generate_data.py --users 5000 --seed 42
streamlit run app.pyThen open the local Streamlit URL shown in the terminal (typically http://localhost:8501).
For a smaller local run:
python scripts/generate_data.py --users 500 --seed 42
streamlit run app.pyThe generated SQLite database is written to data/insider_risk_lab.sqlite.
This project works particularly well as an interactive investigation exercise.
Open the Streamlit interface locally and walk through alerts, timelines, entity graphs, and case workflows while using an AI assistant alongside the application to:
- Explain detections
- Interpret timelines
- Reconstruct investigative narratives
- Discuss false-positive considerations
- Simulate analyst reasoning and escalation decisions
The synthetic telemetry and deterministic detections are intentionally designed to support guided analytical exploration and technical interview-style discussion.
.
├── app.py # Streamlit investigation interface
├── scripts/ # Synthetic telemetry generation
├── sql/detections/ # SQL-based detection logic
├── docs/ # Architecture and workflow documentation
├── docs/screenshots/ # UI screenshots used in README
├── src/insider_risk_lab/ # Core application logic
SOAR Workflow
The generator creates deterministic synthetic:
- User accounts, departments, managers, and privileged users
- Authentication logs
- VPN events
- Endpoint activity
- File-access events
- USB/removable media events
- Suspicious downloads
- Privilege escalation events
- After-hours activity
- Impossible travel events
- Dormant account reactivation
- Data exfiltration indicators
- Suspicious peer-group anomalies
Example:
python scripts/generate_data.py --users 5000 --seed 42Initial SQL detections include:
- Impossible travel
- Excessive file access
- Unusual after-hours activity
- Anomalous peer-group behavior
- Dormant account activity
- Repeated failed authentication
- Suspicious privilege escalation
- Mass file download behavior
- Suspicious USB usage
- VPN anomalies
Each detection is deterministic, explainable, and paired with false-positive considerations. The goal is to support analyst review, not automated attribution.
The app includes:
- Dashboard with alert counts, severity distribution, active cases, event statistics, and detection trends.
- Alert Queue with filters, assigned analyst, status, score, severity, explanations, and false-positive notes.
- User Investigation View with profile, timeline, authorization history, peer comparison, associated entities, and related alerts.
- Investigation Timeline with chronological event reconstruction and category filtering.
- Entity Relationship Graph using NetworkX and PyVis.
- Case Management with disposition, analyst notes, escalation level, investigation status, and confidence.
- SOAR-style Workflow Simulation for assigning, escalating, closing, marking false positives, requesting review, and exporting summaries.
- Analyst reasoning over automated enforcement.
- Explainable SQL over black-box scoring.
- Operational ambiguity over "hacker movie" certainty.
- Lightweight local tooling over enterprise architecture.
- Synthetic data only.
- Portfolio clarity over platform bloat.
- SQL-based insider risk detections
- Investigator timeline reconstruction
- UEBA-style peer comparison
- Entity correlation and pivot analysis
- Alert triage and disposition workflows
- Behavioral anomaly review
- Synthetic case generation
- Graph-based relationship visualization
- SOAR-inspired workflow states
- Explainable detection logic
- Structured investigative narratives
This project intentionally does not attempt to replicate:
- Enterprise-scale ingestion pipelines
- Real-time alerting infrastructure
- Production SOAR orchestration
- Autonomous enforcement decisions
- Commercial SIEM feature parity
The emphasis is investigator reasoning, explainable detections, and analytical workflows.
This project is an educational synthetic investigation lab. It does not process real employee data, customer data, classified information, protected data, or operational security telemetry. It does not make employment, disciplinary, access-control, or enforcement decisions.
Any real insider risk program should involve legal, privacy, HR, security, and governance stakeholders; clear policies; proportional controls; auditability; and strong safeguards against misuse.






