Finding the Gold Nugget in Suspicious Activity Reports

Posted on 3 August 2011 by


It’s fitting that for our 100th post, Libby Stengel joins us with a contribution on how to better mine and leverage suspicious activity reports. A consultant on the Memex team at SAS, Libby is a former U.S. Army intelligence officer who served in Iraq, where she performed all levels of intelligence including debrief, interrogation, analysis. If you’d like to contribute to Police Led Intelligence, please drop us a line.

It is an analyst’s nightmare. It wakes you up in the middle of the night with worry. A piece of information, or “gold nugget” of information, ran across your desk that ended up being the missing link to a large incident that just occurred.

You weren’t able to connect the dots with other information you read, maybe the source was sketchy, or maybe you didn’t have time to read it.

Suspicious Activity Reports (SARs), whether provided by law enforcement or a citizen, can mean nothing or could be the gold nugget in an investigation or analyst product, impacting both officer and public safety.

A huge weight is put on the individuals who have to look through all of the SARs to determine their validity. With the recent “See Something, Say Something” campaign, the number of SARs will be increasing.

Formerly known as Tips and Leads, SARs can come from many different avenues. Law enforcement, business owners and even disgruntled neighbors can drive the creation of SARs. Because of the vast sources for them, it is often difficult for analysts to be able to vet SARs in a fast and effective manner.

You want to find the important data and remove the junk that wastes your time. Having a process in place to put vetted SAR information into law enforcement hands swiftly can be very helpful in threat assessment and crime prevention.

Here are some techniques we advocate that can help analysts in-training to learn how to approach SARs:

Priority of SARs:
Prioritize based on severity of threat and available info about timeline.

If the SAR has immediacy, such as a threat to a public event today or tomorrow, that gets top priority. Try to anticipate what type of illegal activity might be implied by a SAR and determine how great a threat is possible or likely. This can be difficult at times, but try to imagine probable consequences. For example, a loitering SAR is probably less threatening than a report of a gun shop customer inquiring about how to build a bomb.

Consider the source of SARs and work to prove/disprove them
Police SARs are your most reliable source of information because beat cops have a pulse on what is out of the ordinary in their jurisdiction. But that doesn’t mean they get priority in vetting. Businesses are keen to changes in their normal practices, including unusual purchases or customer requests.

SARs submitted by residents can be valuable, but some healthy skepticism is useful because domestic quarrels between neighbors can cause many malicious or paranoid police calls.

Vetting of SARs:
1. Vet the source (non-law enforcement)
A name check on the source against Record Management Systems (RMS) and Computer Aided Dispatch (CAD) can give you a view on possible motivation of the caller. Check other local, state or federal databases that you are able to search.

Hopefully you have a single-login platform that can run a search across many databases.

2.Vet the main topic
Possible terrorist attack on water treatment plant?
Search databases that you have access to regarding any activity near the plant. Look for indications: Surveillance, parking tickets near the plant, unusual purchases near the plant, purchases of bomb making material or water contaminant anywhere in the city or county.

The Nationwide SAR Initiative has good guidance on what indications to look for. Speak to business owners that would have access to those types of materials. Search the national SAR shared space to see if other regions have reported a suspicious incident with the same characteristics. ISE-SAR Criteria Guidance and the NSI Federated Quarterly are both valuable resources to check your information against.

3. Speak to an expert on the topic
I would be inclined to talk to the water treatment plant manager. However, consideration must be given to the impact this will have on the investigation and possible identification of suspects.

You never know who you are talking to and even plant employees can be involved.  This decision should be discussed with organizational leaders and investigators prior to any contact or notifications of a threat being made.

The plant manager might offer information on any new employees, and details on the plant’s security measures. Another expert could be a police officer that has the plant in their jurisdiction. Unusual traffic in the area of the plant? Any “word on the street?”

4. After approval from appropriate parties, release a bulletin to law enforcement agencies
Some might say that this threat should have been released immediately to local law enforcement agencies. Indeed, as an analyst I would inform leadership at the water treatment plants and the local police agency quickly about the existence of a threat. However, I believe that SARs need to have vetting work done before distribution any further than that. Having a strong work-up behind a SAR gives the SAR more teeth, including a list of what has been confirmed or disproved within the report. That allows law enforcement officials to have the best background possible to track this SAR in the real world.

Remember, other analysts around the nation may review your SAR in connection with a threat they are assessing, so your workup details will be valuable, assuming that the tool you are using allows the workup to be captured and stay with the SAR.

5. Create the Bulletin
We have decided that the SAR has validity and the source of the information is reliable. In addition to adding the information to the ISE-SAR Space, a well-crafted bulletin gets it into the hands of the people that can help, i.e. law enforcement, relevant business and industry partners and/or the public.

A bulletin can contain:


  • BOLO (Be On the Look Out) for individual or group
  • Individuals or groups affected by SAR


  • The threat that has been identified from the SAR provider
  • Include your vetting results to confirm or disprove threat possibilities
  • Could original threat be an indicator of a different type of criminal activity?
  • Example: Increase in known extremist group paraphernalia could indicate a future attack/crime.


  • Time frame threat was received
  • Most likely and least likely times for attack/criminal activity to take place
  • Most effective time the attack/criminal activity could take place
    • Example: During opening remarks of a speech at a convention center. Large group of people = large amount of potential victims


  • Jurisdiction: local, state and/or federal
  • Most likely location
    • Example: An illegal gambling ring being located in the basement of a legit business
  • Most dangerous location
    • Example: A meth lab being located near a school or daycare in the area

Why (or So What)?

  • I spoke about this is a previous blog. Make the reader understand why they should care about this SAR.

6. Is it intelligence?
Initially, SARs contain information that has not been vetted and doesn’t necessarily indicate criminal activity. SARs are not intelligence and thus do not fall under the compliance umbrella of Regulation 28 CFR Part 23 (28CFR23). After going through the vetting process, do you have reasonable suspicion of criminal activity?

Do you have a definable criminal act that has occurred or will occur? If so, this SAR could now fall in the realm of intelligence.

Pushing SAR information to an intelligence report, investigation system, SAR shared space, and eGuardian without duplicate entry is important to ensure a smooth data-to-intelligence/investigation process as well as adoption by your system’s users.

Suspicious Activity Reports are a great resource to guide analysts and leaders to new crime or threat streams in their area. Having technology in place to swiftly find and vet the most useful SARs aids in crime prevention for your law enforcement agency – and across the country. As an added bonus, it may also allow your analysts to sleep better at night knowing that the elusive gold nugget was not overlooked.

Libby Stengel is a Principal Consultant for the Memex solutions team at SAS, worldwide provider of intelligence management, data integration, search and analysis solutions.  Stengel is a former U.S. Army intelligence officer with four years of active duty, and has served in Iraq working all levels of intelligence including debrief, interrogation, analysis, and also served as a criminal intelligence trainer. She can be reached at