Comment on page

Inactive Account Probing

Detects users with a sudden spike in failed login attempts after a long period of inactivity, which may be an account takeover attempt. A user will fail this check if they have been inactive for 7 or more days and experience at least 1 account probing attempt/s.
Recommended Actions
Investigate the source of failed login attempts and update geo-blocking rules. Check if the username was in any known data breaches. Follow recommended remediation for Inactive Users. Trigger an access review with the user’s manager to verify that the dormant account still needs access. If the account is unneeded, suspend it. Otherwise, continue monitoring it for activity and suspend it after a grace period.
Default Check Settings
Number of days: 7
Account probing threshold: 1
Compatibility
Okta