Skip to content

How to monitor inactive accounts

Monitoring inactive accounts combines object lists, alert correlation, and reporting.

1. Creating Object List Entries

Follow the steps below to add each inactive account into the Inactive_accounts Object List.

1.1 Access the Object Management Module

  • Log in to CYBERQUEST with an account that has administrative or configuration permissions.

  • Navigate to the menu: Settings > Management > Objects

1.2 Create a New Object Entry

Follow the steps below to add an inactive account into the Inactive_accounts Object List:

In the Objects page, click NEW OBJECT.

  • In the Name field, enter a clear identifier for the inactive account.

  • In the Value field, enter the exact username as it appears in event logs.

  • Set TTL = 1 Year - TTL must be specified in seconds.

  • Assign to Object List - In the Object List field, select: Inactive_accounts

If the list does not exist, type the name and choose Create “Inactive_accounts”

  • Click Save to store the entry.

Repeat the steps in section 2.2 to create additional object entries for:

Repeat the steps in section 2.2 to create additional object entries for:

Repeat the steps in section 2.2 to create additional object entries for:

2. Configure Alerts Using the Inactive_accounts List

This section describes how to create a realtime alert that triggers whenever an inactive account appears in event data. The alert uses the previously created Inactive_accounts Object List as a correlation condition.

2.1 Access Realtime Alerts Configuration

  • Log in to CYBERQUEST with an account that has administrative or configuration permissions.
  • Navigate to the menu: Settings > Alerts > Realtime, this opens the list of existing realtime alert rules.

3.2 Create a New Alert (or Duplicate an Existing One)

Click CREATE ALERT to create a new alert rule.

Alternatively, select an existing authentication-related alert and click Duplicate, then rename it.

Alert rule using object list

This alert is designed to detect any activity generated by inactive or disabled user accounts. When an event contains a username that matches an entry inside the Inactive_accounts Object List, the alert will trigger immediately. This ensures the SOC is notified if any deprecated or unauthorized account is used across the environment.

Note: The “@” symbol placed before the list name (e.g., @Inactive_accounts) instructs the Data Correlation engine to reference a specific Object List, rather than treating the value as a literal list of strings. This ensures the alert evaluates the event username against all entries stored in the defined object list.

Use the reports module to monitor specific actions by applying filters to an existing report.