diff --git a/detections/network/detect_network_traffic_from_inactive_accounts.yml b/detections/network/detect_network_traffic_from_inactive_accounts.yml
new file mode 100644
index 0000000000..7b454adc27
--- /dev/null
+++ b/detections/network/detect_network_traffic_from_inactive_accounts.yml
@@ -0,0 +1,94 @@
+name: Detect Network Traffic From Inactive Accounts
+id: e08aa2f6-7d90-4ab8-af11-da4df38bb7ff
+version: 1
+date: '2024-10-14'
+author: Zaki Zarkasih Al Mustafa
+data_sources:
+- Windows Event Log Security 4624
+- Windows Event Log Security 4625
+type: Anomaly
+status: production
+description: This detection identifies network traffic activity from user accounts that have been inactive for over 30 days. It monitors the network logs for accounts with no recent activity within the past 30 days and flags any sudden activity (such as login or access events) as a potential anomaly. This can help detect cases where inactive accounts may have been compromised and are being used unexpectedly. The detection logic leverages data from network traffic logs and checks for accounts that have not had any recorded activity within the specified inactivity threshold.
+search: '| tstats summariesonly=true fillnull_value=null count min(_time) as firstTime
+  max(_time) as lastTime from
+
+  datamodel=Network_Traffic.All_Traffic by All_Traffic.authserver, All_Traffic.vendor_product,
+
+  All_Traffic.user, All_Traffic.action
+
+  | `drop_dm_object_name("All_Traffic")`
+
+  | eval inactivityPeriodByDay = (now() - lastTime) / 86400
+
+  | eval lastTimeLogin = relative_time(now(), "-4h")
+
+  | eval status = if(inactivityPeriodByDay > 29, "inactive", "active")
+
+  | eval inactivityPeriodByDay = round(inactivityPeriodByDay, 0) . " Days"
+
+  | search status = "inactive" AND lastTime <= lastTimeLogin
+
+  | rename authserver as "auth server", vendor_product as "vendor product"
+
+  | eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S"), lastTimeLogin=strftime(lastTimeLogin,
+  "%Y-%m-%d
+
+  %H:%M:%S")
+
+  | table "auth server", "vendor product", user, firstTime, lastTimeLogin, inactivityPeriodByDay,
+  status,
+
+  action | `detect_network_traffic_from_inactive_accounts_filter`'
+how_to_implement: Ensure that the Network Traffic data model is properly populated and includes logs from relevant sources (e.g., firewalls, proxies, or other network monitoring tools). Configure the data model acceleration to ensure performance and availability for this detection. Make sure to adjust any environment-specific filter macros for false positive reduction.
+known_false_positives: False positives may include legitimate users returning to the network after extended vacations or periods of inactivity. System accounts or service accounts that are seldom used but have routine tasks may also trigger this detection.
+references:
+  - https://attack.mitre.org/techniques/T1078/
+  - https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Useaccelerateddatamodels
+  - https://www.sans.org/white-papers/monitoring-inactive-accounts/
+drilldown_searches:
+- name: View network activity for $user$
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View detailed inactivity and action history for $user$
+  search: 'search All_Traffic.user="$user$" | eval inactivityPeriodByDay = (now() - lastTime) / 86400 | eval status = if(inactivityPeriodByDay > 29, "inactive", "active") | eval inactivityPeriodByDay = round(inactivityPeriodByDay, 0) . " Days" | table user, action, firstTime, lastTime, inactivityPeriodByDay, status'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View associated risk events for $user$
+  search: 'from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story: 
+  - Insider Threat
+  asset_type: Network
+  confidence: 80
+  impact: 50
+  message: Network traffic detected from an inactive user account - $user$
+  mitre_attack_id:
+  - T1078
+  - T1110
+  - T1040
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - user
+  - authserver
+  - vendor_product
+  - action
+  risk_score: 40
+  security_domain: identity
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://github.com/splunk/contentctl/wiki
+    sourcetype: WinEventLog:Security
+    source: Active Directory