Non-Expiring and Service Accounts
The Non-Expiring Users page has a list of all users who own accounts with non-expiring passwords. To view the Non-Expiring Users page, click Users & Accounts > Non-Expiring Users.
For all non-expiring accounts, this page displays the username, title, the last time the user accessed the system, if the user is a Service Account, and if the user is on the Watchlist. The left panel check boxes allow you to filter between Service and User Accounts, active and disabled users, and admin and non-admin users. All non-expiring accounts default to User Accounts.
Service Accounts
Service Accounts represent machine accounts that are typically designed for machine processing within your network. InsightIDR does not expect these accounts to be used outside your network. If you mark an account as a Service Account, InsightIDR will monitor for any activity entering your network using that account and will generate an INGRESS FROM SERVICE ACCOUNT
or LATERAL MOVEMENT - SERVICE ACCOUNT
detection to warn you of that activity. For example, InsightIDR would generate a detection if someone used a Service Account to login to a VPN.
InsightIDR automatically tags Service Accounts by checking if an account belongs to one of these organizational units in their Active Directory:
service accounts
serviceaccounts
service_accounts
You can also manually identify an account as a Service Account.
To add or remove a Service Account tag:
- From your dashboard, select Users & Accounts from the left menu.
- Click Non-Expiring Users.
- Find the user that you want to update.
- Click the Yes/No toggle in the Service Account column.
Bulk Select Accounts
The bulk select feature allows you to update the Account Type and Watchlist status of multiple accounts at a time.
To add or remove multiple Service Account and Watchlist tags:
- From your dashboard, select Users & Accounts from the left menu.
- Click Non-Expiring Users.
- Click on the checkbox to the left of each user’s name to indicate which accounts you would like to update.
- Use the dropdown at the top of the page to change the accounts to Service Accounts or to User Accounts.
- Use the dropdown at the top of the page to add or remove users from the Watchlist.
- Click Apply.
Configure a Service Account
Learn how to set up a Service Account so that InsightIDR can collect log events and endpoint scans in your environment.