Detects accounts with unusually high daily sign-in events, which can indicate malicious activity or the presence of a service account. A user will fail this check if Oort detects more than 1,000 sign-in events per day.

Recommended Actions

Tag known service accounts and machine identities as “MACHINE” in Oort. Investigate the spike to determine what application is generating the activity.

Default Check Settings

Events per day: 1,000

Compatibility

Microsoft Entra ID

Okta

Duo

Google Workspace