Snowflake and the Continuing Identity Threat Detection Gap Across SaaS and Cloud
Case Study

Early Detection of Fraud
Committed by an Employee

Detected malicious activities

An employee made changes to a policy’s beneficiaries, and several days later started withdrawing money from the policy. Such withdrawals were performed several times.

User journey analyzed

The sequence of activities performed by employees over a month’s time (a journey was created per user, per month).

Process and assumptions

TrackerIQ learned monthly working profiles for the entire organization and then used these profiles to detect abnormal/suspicious working journeys. The underlying assumption is that although activities themselves are common, actual attack journeys are very unusual.

TrackerIQ Analysis Results (over 24 months monitoring of log data)

  • 30 journeys were flagged as suspicious
  • 6 of the suspicious journeys involved the employee who committed fraud

Abnormal journeys were detected in historical data and began six months before the employee committed actual fraud. The employee started by performing activities similar to the final fraud, but with small monetary values of only a few cents. Had the insurance company detected these abnormal journeys when they started, it could either have asked the employee about the anomalies, which likely would have prevented the subsequent fraud, or instead start monitoring the employee more closely.


Monitoring employee activities and generating alerts about abnormal journeys, even if these journeys are not malicious, is an important preventive control given the number of alerts generated is small (a few per month).

TrackerIQ Benefits

  • Quick initial tuning of the detection model using historical data, including detection of past suspicious activities
  • Continuous monitoring of employee journeys to detect ongoing suspicious activities
  • Continuous monitoring provides both preventive control and compensation control for the lack of effective access control policies within the existing business application (developed years ago)
  • Few alerts per month (less than 1 per week) allow a focus on true suspicious activities
  • An easy-to-use investigation tool for the business analyst


Insurance, publicly traded.


Application type



Application usage

The application is used by company employees to manage pension and insurance policies.


Data analyzed

Application audit logs, including historical data, describing user (i.e. employee) activities within the application.