diff --git a/ssa_detections/endpoint/ssa___anomalous_usage_of_account_credentials.yml b/ssa_detections/endpoint/ssa___anomalous_usage_of_account_credentials.yml
deleted file mode 100644
index 1c4f3f48a7..0000000000
--- a/ssa_detections/endpoint/ssa___anomalous_usage_of_account_credentials.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-name: Anomalous Usage of Account Credentials
-id: 629cbf9e-5785-11ec-9611-acde48001122
-version: 1
-date: '2021-12-07'
-author: Lou Stella, Splunk
-status: experimental
-type: Anomaly
-description: This is an anomaly generating detection looking for multiple interactive
-  logins within a specific time period. An insider threat may attempt to steal colleagues
-  credentials in low tech, undetectable methods, in order to gain access to additional
-  information or to hide their own behavior. This should capture their attempted use
-  of those credentials on a workstation.
-data_source: 
-- Windows Security 4624
-search: '| from read_ssa_enriched_events() | eval device=ucast(map_get(input_event,
-  "dest_device_id"), "string", null), auth_type=ucast(map_get(input_event, "authentication_type"),
-  "string", null), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string",
-  null)), src_user=ucast(map_get(input_event, "dest_user_original_artifact"), "string",
-  null), signature_id=ucast(map_get(input_event, "EventCode"), "string", null) | where
-  signature_id="4624" | where auth_type="2" OR auth_type="11" | where NOT (src_user="SYSTEM")
-  AND NOT (src_user="ANONYMOUS LOGON") | stats estdc(src_user) AS user_counter by
-  device, span(timestamp, 600s, 300s) | where user_counter>=2  | rename window_end
-  AS timestamp | eval start_time=window_start, end_time=timestamp, entities=mvappend(device),
-  body=create_map(["user_counter", user_counter, "device", device]) | into write_ssa_detected_events();'
-how_to_implement: To successfully implement this detection, you need to be ingesting
-  logon events from workstations.
-known_false_positives: Shared workstations can cause false positives
-references:
-- https://attack.mitre.org/techniques/T1078/002/
-tags:
-  analytic_story:
-  - Insider Threat
-  asset_type: Endpoint
-  confidence: 30
-  impact: 20
-  message: Multiple interactive logins detected on $device$
-  mitre_attack_id:
-  - T1078.002
-  observable:
-  - name: device
-    type: Hostname
-    role:
-    - Victim
-  product:
-  - Splunk Behavioral Analytics
-  required_fields:
-  - _time
-  kill_chain_phases:
-  - Exploitation
-  risk_score: 6
-  security_domain: access