# Accounts With Unusually High Activity

Detects accounts with unusually high daily sign-in events, which can indicate unauthorized or malicious activity or the presence of a service account. An account will fail this check if Oort detects more than 1,000 sign-in events per day.

**Recommended Actions**

For the known service accounts and machine identities, change an IDP attribute of the account such as User Type, title, or department to include the phrase `Service Account` so that it can be identified easily.  You may also elect to exclude the account from this check indefinitely if this is normal behavior for the service account.   \
\
If it is a regular user account, then investigate the spike to determine what application is generating the activity.<br>

**Default Check Settings**

Events per day: 1,000

**Compatibility**

[Microsoft Entra ID](https://docs.oort.io/integrations/azure-active-directory-integration)

[Okta](https://docs.oort.io/integrations/okta-data-integration)

[Duo](https://docs.oort.io/integrations/duo-security-integration)

[Google Workspace](https://docs.oort.io/integrations/google-workspace-integration)

[Snowflake](https://docs.oort.io/integrations/snowflake)

<br>