I just saw this in the Technet Flash and thought I’d pass it along. It is guidance for launching internal investigations into suspicious computer activity.
You can find website here. The page has the download for the guide plus links to some of the tools they use. Microsoft also provides links to publications and guides they used to develop this guidance.