The malicious insider threat is often listed as one of the most dangerous cloud threats. The main difference for this threat between a cloud computing (CC) scenario and a traditional IT infrastructure, is that once perpetrated, it could damage other CSCs due to the multi‐tenancy and virtual environment cloud features. One of the challenges associated is that this threat domain is highly dependent on characteristics of human behavior as opposed to the more purely technical domains of network data generation. Therefore, we outline the design of synthetic data, while discussing cloud‐based indicators, socio‐technical human factors and derive a cloud scenario dataset for threat detection purposes. As a proof of concept, we test our model on an airline flight scheduling application, provided by a flight operator, together with proposing realistic threat scenarios for its future detection. The work is motivated by the complexity of the problem itself as well as by the absence of the open, realistic cloud‐based datasets