Access From Dormant Account
Detects Priority Accounts who have successfully signed in via one or more integration instances in the last 30 days [default setting] despite not having a successful sign in across all integration instances in the last 7 days [default setting]. New accounts that were created in the last 7 days [default] will not be evaluated against this check. Accounts from newly configured integration instances will also not be evaluated against this check for 7 days.
Adversaries often target dormant accounts that belong to users who no longer work at a victim organization, but whose accounts still have access to the system.
If a malicious actor gains access to a dormant account, they can access whatever the user previously had access to and/or make changes to the account to maintain persistence in the environment.
Since these accounts are dormant, the true account owner will not notice that a password or MFA factor is no longer working properly and the adversary can stay in the system undetected.
Recommended Actions
Please investigate to ensure this sign in is legitimate. If the account should no longer be in use, delete the account.
Consider reviewing the list of failing users on a weekly basis or setting up a notification target to receive alerts on new failures.
Default Check Settings
Number of days inactive: 30 days Evaluation period for successful sign in: 7 days
Compatibility
Last updated