Forum Discussion
Resource access by Azure ATP Directory Services user account
The Directory service account is used for a number of operations so you shouldn't expect regular access patterns, however, if you are seeing alerts/high investigation priority coming from this account, that need to be troubleshooted, can you please share some screenshots with us?
But there has been a very distinct pattern, as I scroll to try and reach the oldest event for the account, there were a very high volume of credential validation events on domain controllers on March 4th, which was the day the account was seen/created, so likely the day I first set up Azure ATP. The last of the regular credential validation events was August 4th, 6 months later.
I understand exactly why the investigation priority was high for the days I noticed, as it was the first time the account have ever accessed workstation resources on our domain.
What is also strange is there has been no reported activity for the account from Dec 4th to today.