What is a one sentence summary of your feature request?
Ability to define service accounts based on organizational units or naming conventions instead of relying solely on machine learning detection.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Currently, Threat Manager identifies service accounts primarily through machine learning based on observed activity patterns, which can lead to incomplete or inconsistent visibility. In many environments, service accounts are managed using strict internal conventions (e.g., specific OUs or naming prefixes like “SVC_”) to manage service accounts, but there is no way to reflect this logic within the product. This feature would enable administrators to define service accounts manually using criteria such as OU membership, naming patterns, or custom queries. It could work alongside existing ML detection (e.g., ML + manual rules), providing more accurate and complete coverage while aligning with how organizations structure their environments.
How do you currently solve the challenges you have by not having this feature?
Currently, service accounts are managed outside of the product using internal conventions (e.g., naming patterns or OUs), with limited support from existing features like tagging. This requires manual validation and makes it difficult to ensure full and accurate coverage.