This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 51%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
I am seeing alot of activity in the events log associated with the MSOL_xxxxx account especially off hours. Is this normal or should I be looking for a cause? The event logs samples are below.
Security: A Kerberos authentication ticket (TGT) was requested.
Security: A Kerberos service ticket was requested.
Security: A logon was attempted using explicit credentials.
Security: An account was successfully logged on.
Security: An account was logged off.
Security: A Kerberos authentication ticket (TGT) was requested.
Security: A Kerberos service ticket was requested.
Security: A logon was attempted using explicit credentials.
Security: An account was successfully logged on.
Security: An account was logged off.
Security: An account was successfully logged on.
Security: An operation was performed on an object.
Security: An operation was performed on an object.
Security: An operation was performed on an object.
Security: A Kerberos service ticket was requested.
Security: A logon was attempted using explicit credentials.
Security: An account was successfully logged on.
Security: An account was logged off.
Security: Special privileges assigned to new logon.
Security: An account was successfully logged on.
Security: An account was logged off.
Security: Special privileges assigned to new logon.
Security: An account was successfully logged on.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
Once we configured these audit policies, there will be event logs recorded such as:
Security: A Kerberos authentication ticket (TGT) was requested.
Security: A logon was attempted using explicit credentials.
Security: An account was successfully logged on.
Security: An account was logged off.
If lots of accounts log on, there will be lots of activities in the event logs. According to our description, all the event logs are associated with certain account. If we have any doubt, we could verity whether this account is real and existed and then contact the account MSOL_xxxxx account to verify whether this account has preformed the actions.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hello,
Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?
Thank you so much for your time and support.
Best regards,
Hannah Xiong