Skip to content

atlasruntime/insider-risk-lab

Repository files navigation

Insider Risk Investigation Lab

Python SQLite Streamlit Synthetic Data

A synthetic, investigator-centered insider risk and behavioral analytics lab focused on Structured Query Language (SQL)-driven detections, timeline reconstruction, entity correlation, and explainable investigative workflows.

The project simulates insider risk, Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), Data Loss Protection (DLP), and Security, Orchestration, Automation, and Response (SOAR)-style investigative operations using deterministic synthetic telemetry and lightweight analyst tooling.

Table of Contents

Why This Project Exists

Modern insider risk teams need investigators who can move between human context and technical telemetry. This lab demonstrates that transition:

  • Generate deterministic synthetic telemetry.
  • Write and inspect SQL detections.
  • Triage alerts with false-positive considerations.
  • Reconstruct user timelines across authorization, Virtual Private Network (VPN), endpoint, file, USB, and privilege events.
  • Compare behavior against peers.
  • Simulate case management and SOAR-style workflow states without real integrations.

All telemetry and identities in this project are synthetic and generated for educational purposes.

Architecture Overview

flowchart LR

A["Synthetic telemetry generation<br/>Python scripts"]

A --> B["SQLite database<br/>users, auth, VPN, endpoint, file, USB"]

B --> C["Detection and analysis<br/>SQL + Pandas"]

C --> D["Streamlit investigation workbench<br/>dashboard, alerts, timelines, cases"]

D --> E["Entity relationship graph<br/>NetworkX + PyVis"]

D --> F["SOAR-style workflow simulation<br/>assign, escalate, close, export"]
Loading

Tech Stack

  • Python
  • SQLite
  • SQLAlchemy
  • Streamlit
  • Pandas
  • NetworkX
  • PyVis
  • Faker
  • Pytest

Quick Start

python3 -m venv .venv
. .venv/bin/activate
python -m pip install -r requirements.txt
python scripts/generate_data.py --users 5000 --seed 42
streamlit run app.py

Then open the local Streamlit URL shown in the terminal (typically http://localhost:8501).

For a smaller local run:

python scripts/generate_data.py --users 500 --seed 42
streamlit run app.py

The generated SQLite database is written to data/insider_risk_lab.sqlite.

Exploration Tip

This project works particularly well as an interactive investigation exercise.

Open the Streamlit interface locally and walk through alerts, timelines, entity graphs, and case workflows while using an AI assistant alongside the application to:

  • Explain detections
  • Interpret timelines
  • Reconstruct investigative narratives
  • Discuss false-positive considerations
  • Simulate analyst reasoning and escalation decisions

The synthetic telemetry and deterministic detections are intentionally designed to support guided analytical exploration and technical interview-style discussion.

Repository Structure

.
├── app.py                    # Streamlit investigation interface
├── scripts/                  # Synthetic telemetry generation
├── sql/detections/           # SQL-based detection logic
├── docs/                     # Architecture and workflow documentation
  ├── docs/screenshots/       # UI screenshots used in README
├── src/insider_risk_lab/     # Core application logic

Screenshots

Dashboard

Dashboard overview

Alerting

Alert queue

Investigations

User investigation

Timelines

Investigation timeline

Entity Analysis

Entity graph

Case Management

Case management

SOAR Workflow

SOAR simulation

Generated Telemetry

The generator creates deterministic synthetic:

  • User accounts, departments, managers, and privileged users
  • Authentication logs
  • VPN events
  • Endpoint activity
  • File-access events
  • USB/removable media events
  • Suspicious downloads
  • Privilege escalation events
  • After-hours activity
  • Impossible travel events
  • Dormant account reactivation
  • Data exfiltration indicators
  • Suspicious peer-group anomalies

Example:

python scripts/generate_data.py --users 5000 --seed 42

Detection Coverage

Initial SQL detections include:

  • Impossible travel
  • Excessive file access
  • Unusual after-hours activity
  • Anomalous peer-group behavior
  • Dormant account activity
  • Repeated failed authentication
  • Suspicious privilege escalation
  • Mass file download behavior
  • Suspicious USB usage
  • VPN anomalies

Each detection is deterministic, explainable, and paired with false-positive considerations. The goal is to support analyst review, not automated attribution.

Streamlit Workbench

The app includes:

  • Dashboard with alert counts, severity distribution, active cases, event statistics, and detection trends.
  • Alert Queue with filters, assigned analyst, status, score, severity, explanations, and false-positive notes.
  • User Investigation View with profile, timeline, authorization history, peer comparison, associated entities, and related alerts.
  • Investigation Timeline with chronological event reconstruction and category filtering.
  • Entity Relationship Graph using NetworkX and PyVis.
  • Case Management with disposition, analyst notes, escalation level, investigation status, and confidence.
  • SOAR-style Workflow Simulation for assigning, escalating, closing, marking false positives, requesting review, and exporting summaries.

Design Principles

  • Analyst reasoning over automated enforcement.
  • Explainable SQL over black-box scoring.
  • Operational ambiguity over "hacker movie" certainty.
  • Lightweight local tooling over enterprise architecture.
  • Synthetic data only.
  • Portfolio clarity over platform bloat.

Core Capabilities

  • SQL-based insider risk detections
  • Investigator timeline reconstruction
  • UEBA-style peer comparison
  • Entity correlation and pivot analysis
  • Alert triage and disposition workflows
  • Behavioral anomaly review
  • Synthetic case generation
  • Graph-based relationship visualization
  • SOAR-inspired workflow states
  • Explainable detection logic
  • Structured investigative narratives

Non-Goals

This project intentionally does not attempt to replicate:

  • Enterprise-scale ingestion pipelines
  • Real-time alerting infrastructure
  • Production SOAR orchestration
  • Autonomous enforcement decisions
  • Commercial SIEM feature parity

The emphasis is investigator reasoning, explainable detections, and analytical workflows.

Ethical and Synthetic Use Disclaimer

This project is an educational synthetic investigation lab. It does not process real employee data, customer data, classified information, protected data, or operational security telemetry. It does not make employment, disciplinary, access-control, or enforcement decisions.

Any real insider risk program should involve legal, privacy, HR, security, and governance stakeholders; clear policies; proportional controls; auditability; and strong safeguards against misuse.

About

Insider risk investigation lab with synthetic SQL detections, UEBA-style analysis, timelines, entity correlation, and analyst workflows.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages