Forum Discussion
Resource access by Azure ATP Directory Services user account
Today I noticed a high investigation priority score in Cloud App Security for the AD user account configured under "Directory Services" in Azure ATP. Reviewing that user's timeline in Azure ATP: ...
But there has been a very distinct pattern, as I scroll to try and reach the oldest event for the account, there were a very high volume of credential validation events on domain controllers on March 4th, which was the day the account was seen/created, so likely the day I first set up Azure ATP. The last of the regular credential validation events was August 4th, 6 months later.
I understand exactly why the investigation priority was high for the days I noticed, as it was the first time the account have ever accessed workstation resources on our domain.
What is also strange is there has been no reported activity for the account from Dec 4th to today.
