How to monitor inactive accounts

Monitoring inactive accounts is a matter of configuration. This process includes the following steps:

1) Define an "Object list" which includes the accounts that you want to include.

For this you need to: - go to settings - access the "Objects" section in the "Management" group

img.png

  • create the Object list by adding the first element "test_user"
  • name the list "Inactive_accounts", notice the TTL has been set to -1 which tells the system fot his entry never to expire.

img_1.png

2) Create/Modify/Duplicate existing/new Alerts for specific actions which we need to be alerted upon. In the relevant alert specific rule, add a filter to use the specifid list, on the username field: UserName isInList @Inactive_accounts . Notice the "@" sign which explains the "Data Correlation" engine to use a specific list, not a list of strings which can also specified.

  • go to realtime alerts
  • duplicate an exiting alert
  • specify for it to use the newsly created list img_2.png

3) Use the reports module for specific actions you want to monitor (and use an existing report with filters)