Accounts With Unusually High Activity

Detects accounts with unusually high daily sign-in events, which can indicate malicious activity or the presence of a service account. A user will fail this check if Oort detects more than 1,000 sign-in events per day.

Recommended Actions

Tag known service accounts and machine identities as β€œMACHINE” in Oort. Investigate the spike to determine what application is generating the activity.

Default Check Settings

Events per day: 1,000


Microsoft Entra ID



Google Workspace

Last updated