A set of all known log and / or event data searches for insider threat hunting and detection. They enumerate sets of searches used across many different data pipelines. Implementation details are for ELK using F/OSS (free and open source) primary data pipelines.

This is not a general purpose threat hunting search set. It is designed for hunting rogue users engaged in data theft and / or fraud. It requires large-scale data collection in order to utilize supernumerary event types like file and object access.