Login by a dormant user

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Valid Accounts: Domain Accounts (T1078.002)

Severity

Informational

Description

A dormant user logged on after having been unused for a month or longer.
This may indicate the account is misused by an attacker.

Attacker's Goals

Use a compromised user account which has not been used for a long time, and is therefore less likely to be noticed.

Investigative actions

  • Confirm that the activity is benign (e.g. the user returned from a long leave of absence).
  • See whether there are other abnormal actions done by the user (e.g. files\commands\other logins).
  • Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

Variations

Cached interactive login by a dormant user

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Valid Accounts: Domain Accounts (T1078.002)

Severity

Informational

Description

A dormant user logged on after having been unused for a month or longer.
This may indicate the account is misused by an attacker.

Attacker's Goals

Use a compromised user account which has not been used for a long time, and is therefore less likely to be noticed.

Investigative actions

  • Confirm that the activity is benign (e.g. the user returned from a long leave of absence).
  • See whether there are other abnormal actions done by the user (e.g. files\commands\other logins).
  • Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.