Detects users with a sudden spike in failed login attempts after a long period of inactivity, which may be an account takeover attempt. A user will fail this check if they have been inactive for 7 or more days and experience at least 1 account probing attempt/s.

Recommended Actions

Investigate the source of failed login attempts and update geo-blocking rules. Check if the username was in any known data breaches. Follow recommended remediation for Inactive Users. Trigger an access review with the user’s manager to verify that the dormant account still needs access. If the account is unneeded, suspend it. Otherwise, continue monitoring it for activity and suspend it after a grace period.

Default Check Settings

Number of days: 7

Account probing threshold: 1

Compatibility

Microsoft Entra ID

Okta

Google Workspace