How to monitor inactive accounts
Monitoring inactive accounts is a matter of configuration. This process includes the following steps:
1) Define an "Object list" which includes the accounts that you want to include.
For this you need to: - go to settings - access the "Objects" section in the "Management" group
- create the Object list by adding the first element "test_user"
- name the list "Inactive_accounts", notice the TTL has been set to -1 which tells the system fot his entry never to expire.
2) Create/Modify/Duplicate existing/new Alerts for specific actions which we need to be alerted upon. In the relevant alert specific rule, add a filter to use the specifid list, on the username field: UserName isInList @Inactive_accounts . Notice the "@" sign which explains the "Data Correlation" engine to use a specific list, not a list of strings which can also specified.
- go to realtime alerts
- duplicate an exiting alert
- specify for it to use the newsly created list
3) Use the reports module for specific actions you want to monitor (and use an existing report with filters)