You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/service-account-discovery.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,9 +9,9 @@ ms.date: 03/25/2025
9
9
10
10
### What are Service Accounts?
11
11
12
-
Service accounts are specialized identities within Active Directory used to run applications, services, and automated tasks. These accounts often require elevated privileges to perform their designated job. However, because they can't authenticate like human accounts, they typically don't benefit from the increased security of modern authentication methods like MFA (multifactor authentication). Given their potential elevated privilege and the inherent limitations of the access policies that govern them, careful management and monitoring are crucial to ensure they don't become a security vulnerability.
12
+
Service accounts are specialized identities within Active Directory used to run applications, services, and automated tasks. These accounts often require elevated privileges to perform their designated job. However, because they can't authenticate in the same way as human accounts, they typically don't benefit from the increased security of modern authentication methods like MFA (multifactor authentication). Given their potential elevated privilege and the inherent limitations of the access policies that govern them, careful management and monitoring are crucial to ensure they don't become a security vulnerability.
13
13
14
-
The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then surfaced, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
14
+
The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
15
15
16
16
Service accounts can be broadly classified into several types, including:
17
17
@@ -40,7 +40,7 @@ There are several options you can choose from to customize the identities list v
40
40
- Export the list to a CSV file.
41
41
42
42
> [!NOTE]
43
-
> When exporting the Service accounts list to a CSV file, a maximum of 2000 Service accounts are displayed.
43
+
> When exporting the service accounts list to a CSV file, a maximum of 2,000 service accounts are displayed.
44
44
45
45
### Service account details
46
46
@@ -85,9 +85,9 @@ When you investigate a specific Service account, you'll see the following detail
85
85
|Source type | What kind of device or system is initiating the request. For example, server, workstation or domain controller. |
86
86
|Source risk | Identicates the risk posed to the source from no risk to high risk. |
87
87
|Destination | Where the request is being directed to. The target system that the service account is trying to access. For example, when trying to access a destination server, there can be multiple resources on that server (for example, a database and a file-server). |
88
-
|Destination type | Server, Workstation or Domain controller. |
88
+
|Destination type | Server, Workstation, or Domain controller. |
89
89
|Auth protocols | Kerberos and NTLM |
90
-
|Service Class | The services within a network that define the type of service being provided, often used for authentication and resource management. These include: Lightweight Directory Access Protocol (LDAP), Common Internet File System (CIFS), Remote Procedure Call (RPC), Remote Procedure Call Subsystem (RPCSS), "HTTP", Terminal Services (TERMSRV), and "HOST" |
90
+
|Service Class | The services within a network that define the type of service being provided, often used for authentication and resource management. These include: Lightweight Directory Access Protocol (LDAP), Common Internet File System (CIFS), Remote Procedure Call (RPC), Remote Procedure Call Subsystem (RPCSS), "HTTP," Terminal Services (TERMSRV), and "HOST" |
91
91
|Count | How many sign in events occurred over this connection in the last 180 days.
92
92
Last seen | The date and time of the most recent sign in event over this connection. |
0 commit comments