User Behavior Intelligence for Endpoint Forensics

User Behavior Intelligence for Endpoint Forensics

Dtex collects dedicated user behavior metadata directly from the endpoint, creating a high-fidelity audit trail of user behavior in human-readable data. This audit trail makes forensic investigations simple and seamless. Security teams use Dtex to instantly answer the important questions:


Lightweight metadata is collected enterprise-wide, across all users -- including super users and admins. Quickly understand who engaged in risky activity.


A full audit trail of user behavior allows analysts to quickly and easily understand exactly what actions the user took, what files they came into contact with, what machines they used, and more.


Data is collected both on and off the corporate network, such as if a user leaves the office or switches to a personal mobile hotspot, allowing investigations to see through common obfuscation attempts.


Build a full timeline of events surounding an incident. Dtex’s audit trail makes forensic investigations simple by revealing a historical timeline of user behavior in human-readable data.

How & Why?

A single security incident can be attributed to simple carelessess, maliciousness, or outsider infiltration. Dtex shows investigators the full context aorund an event, allowing them to determine intent and build a stronger case around bad-actors.

The Audit Trail in Action

Here's an example of the Dtex audit trail in action. Investigators will use Dtex to investigate the following alert:

ALERT: Dropbox Usage

User 243 has uploaded "MomsPieRecipe.pdf" to Dropbox.

Analysts are aware that files have been uploaded to Dropbox -- a disallowed file sharing platform -- but an alert alone doesn't give them any hint as to whether this was simple carelessness or a case of attempted data theft. Here's Dtex's audit trail for this event:

  • User logs onto their laptop.

  • User accesses corporate Sharepoint.

  • User switches from corporate wifi to mobile hotspot network.

  • User downloads folder of 121 "ClientList.xls" files.

  • User compresses those 121 files into ""

  • User renames "" to "MomsPieRecipe.pdf"

  • User uploads "MomsPieRecipe.pdf" to Dropbox, triggering a file sharing alert.

  • User signs off.

With this full audit trail, analysts can quicly understand the full context of this incident:

Malicious Intent

Analysts could confirm that this was intentional data theft, based on the intentional obfuscation of the file name and the switch off of the corporate network.

Affected Files

The audit trail reveals exactly which files the user downloaded and stole.

Definitive Timeline

Dtex maps the entire incident, step by step, to a definitive timeline.

Prosecutable Evidence

Should the company decide to pursue legal action, Dtex's user behavior data provides evidence of the user's data theft, including the evasive action taken before the event.

Learn more:

Case Study:

Dtex and Phishing

Find out how Dtex detected and investigated a phishing attack at a customer.

Original Research

The 2019 Insider Threat Intelligence Report

Dive into findings, results, and research from Dtex investigations over the past year.

Learn More:

How Dtex Fights Insider Threats

Get a deeper explanation of Dtex's approach to insider threat detection.

Investigating Malware with Dtex

While Dtex's metadata collection focuses on user behavior, its extensive high-fidelity endpoint data has also proven to be very useful when it comes to investigating external incidents, including malware, ransomware and hacking attacks. Customers have used Dtex to quickly identify which endpoints organization-wide have used a dangerous application, for instance. Or, determine the exact root phishing email that led to an infection.

Prosecution-Ready Evidence

Dtex's user behavior records have been used to support legal proceedings and prosecution. Recently, Dtex's data was used in the prosecution of a data theft incident at a large financial institution, which resulted in a guilty plea.

Learn More About How User Behavior Intelligence Can Help
Secure and Optimize Your Business