‘ve been ach is installed on 3 iut 4 DCs and a large percentage sked by a customer to try and identify service accounts operating in their ADDS environment. I have access to both MDI and MDE.

Does anything in the Defender stack inventory the services on machines and retrieve which accounts are being used to launch them? I have a list of service accounts based on the clients naming convention but i strongly suspect that that list is incomplete. 

Any assistance or guidance would be greatly appreciated. I’ve spent this afternoon experimenting with KQL but not satisfied with th eoutcome. 

​’ve been ach is installed on 3 iut 4 DCs and a large percentage sked by a customer to try and identify service accounts operating in their ADDS environment. I have access to both MDI and MDE. Does anything in the Defender stack inventory the services on machines and retrieve which accounts are being used to launch them? I have a list of service accounts based on the clients naming convention but i strongly suspect that that list is incomplete.  Any assistance or guidance would be greatly appreciated. I’ve spent this afternoon experimenting with KQL but not satisfied with th eoutcome.   Read More

​