In view of the internal threat behavior in enterprise information system, especially the abuse of internal user resource, we propose a real-time detection framework based on Agent, which can find malicious insider threat behavior by comparing identify permissions and abnormal operation behavior. The framework is composed of data acquisition module, detection module, audit module and response module. From 4 aspects of identity authentication, access control, operation audit and vulnerability detection, the function of the detection system is described, and the key technology is introduced in detail. The application example proves that the detection framework implements the functions of user's real name login, behavior detection and post audit, fundamentally prevent malicious insiders to obtain illegal data and provide response and intervention capabilities, improving the security of information system. In the end, we summarize the development trend of the internal threat detection technology.