VPN login by a dormant user

Cortex XDR Analytics Alert Reference by Alert name

Cortex XDR
Last date published
Analytics Alert Reference
Alert name


Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Global Protect
    • Third-Party VPNs

Detection Modules

Identity Analytics

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Valid Accounts: Domain Accounts (T1078.002)




A dormant user logged on to a VPN service after having been unused for a month or longer.
This may indicate the account is misused by an attacker.

Attacker's Goals

Use a compromised user account which has not been used for a long while, and therefore is less likely to be noticed.

Investigative actions

  • Confirm that the activity is benign (e.g. the user returned from a long leave of absence).
  • See whether there are other abnormal actions done by the user (e.g. files\commands\other logins).
  • Check if the user initiated other logins aside from a VPN login.
  • Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.