Interactive login by a service account

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Windows Event Collector OR XDR Agent
Detection Modules	Identity Analytics
ATT&CK Tactic	Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Domain Accounts (T1078.002)
Severity	Low

A service account performed an interactive or remote interactive login.

Use an account that has access to resources to move laterally in the network and access privileged resources.

See whether the login was successful.
Check whether the account has done any administrative actions it should not usually do.
Look for more logins and authentications by the account throughout the network.

ATT&CK Tactic	Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Domain Accounts (T1078.002)
Severity	Medium

Interactive login by a service account to a sensitive server.

Use an account that has access to resources to move laterally in the network and access privileged resources.

See whether the login was successful.
Check whether the account has done any administrative actions it should not usually do.
Look for more logins and authentications by the account throughout the network.

ATT&CK Tactic	Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Domain Accounts (T1078.002)
Severity	Informational

A service account performed an interactive or remote interactive login.

Use an account that has access to resources to move laterally in the network and access privileged resources.

See whether the login was successful.
Check whether the account has done any administrative actions it should not usually do.
Look for more logins and authentications by the account throughout the network.