Insider threat investigations require a broad set of tools to investigate potential threats. Endpoint security tools provide a great deal of value identifying user based threats within an organization when hunt queries are tuned properly. In some cases, the results generated by endpoint security tools require additional endpoint triage to fully analyze user activity. This discussion will highlight how to utilize AXIOM to verify endpoint security alerts and uncover evidence that may not have been identified. One alert may be an indicator of nefarious intent that will lead to unknown evidence. Artifacts associated with this unknown evidence can provide value to tune the investigator’s hunt queries. Attendees will gain knowledge on how AXIOM can uncover unknown evidence and improve future endpoint security based hunts.