> For the complete documentation index, see [llms.txt](https://docs.oort.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oort.io/understanding-check-failures/oort-insights/identity-posture-management-insights/inactive-account-probing.md).

# Inactive Account Probing

Identifies users who experience a sudden surge in failed login attempts after an extended period of inactivity, which could indicate a potential account takeover attempt.

A user will fail this check if they have been inactive for 30 (configurable) or more days and encounter at least 2 (configurable) account probing attempt(s).

#### **Recommended Actions**

Check if the username was in any known data breaches. Prioritize investigating and remediating users without MFA enabled on their accounts, as they are at the highest risk. If an attacker successfully guesses or obtains their password, they can gain access without needing a second form of authentication.

To remediate, start by initiating an access review with the user’s manager to confirm whether the dormant account is still needed. If the probed account is no longer required, deprovision it at the identity source. If the account is still needed (ex: user on leave), disable it at the identity source.

If the probed account is no longer required, deprovision it at the identity source. If the account is still needed (ex: user on leave), disable sign-in's at the identity source.

Otherwise, continue monitoring the account for activity and suspend it after a grace period if inactivity persists. Investigate the source(s) of failed login attempts and update geo-blocking rules if needed.

#### **Default Check Settings**

Number of days of inactivity: 30

Account probing threshold: 2

#### **Compatibility**

[Microsoft Entra ID](/integrations/azure-active-directory-integration.md)

[Okta](/integrations/okta-data-integration.md)

[Google Workspace](/integrations/google-workspace-integration.md)

<figure><img src="/files/vKgocu2ISJ8qMsfiMHr2" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-posture-management-insights/inactive-account-probing.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.