You can see users in your system that have dormant accounts, active accounts, or accounts that have never been used.
Viewing dormant accounts on the User Details page
You can see the status of the accounts that are associated with the selected user on the User Details page.
|User Account Status||Description|
An account that UBA has seen events from a QRadar® log source within the configured dormant account threshold time period.
An account that UBA has seen at least one event from in the past but has not seen any new events during the dormant account threshold time period.
An account for which UBA has never seen an event with that user name in a QRadar log source.
Accounts identified as "Never Used" can be caused by the following activities:
Users with Dormant Accounts watchlist
The Users with Dormant Accounts watchlist is automatically generated as the UBA app pulls in user data. You can view the Users with Dormant Accounts watchlist on the UBA Dashboard.
If you delete the watchlist, it is not automatically re-created. If you need to create it again, select the UBA : Dormant Accounts reference set on the Membership Settings tab on the Create a watchlist screen.
Configuring the dormant accounts threshold
The default value for the dormant accounts threshold is 14 days. You can change the number of days that users are inactive before they are considered dormant in the Application Settings section on the UBA Settings page ( ).
Responses to dormant accounts or users
You can generate responses for dormant accounts from the provided rules. You can also create custom responses by using the events that are triggered from the app.
- Dormant Account Found (QID 104000012)
- Dormant Account Used (QID 104000013)