The scenario here is that a company has hired an external consultant. The consultant was on vacation and sick for a total of about 1 month.
Once back at work he started accessing the system and doing this work. Immediately ATA became suspicious and sendt out an alert.
ATA flagged the behavior as abnormal due to the consultant being away for such a long period of time.
This said, a lot of companies are not closing down consultant accounts after they are done working. Some keep them open waiting for “next incident” and some just forget to remove them.
ATA can help you to keep track of this and alerts you if a old consultancy account is stolen.