Forum Discussion

OJA's avatar
OJA
Copper Contributor
Apr 19, 2023
Solved

fooUser appearing in Sentinel device logs

Hi, I noticed from an alert in MS Security Center there is an account called fooUser@<domain> that seems to do a lot of client operations outside of what I understand the account is for, which is In...
alerts
analytics
microsoft defender for endpoint
threat hunting
  • TechNashville's avatar
    TechNashville
    Apr 28, 2023

    The backend Team at inTune is working on a fix for the issue currently. Here was the official answer of what occurred:

     

    'This user does not represent a security threat.  As part of the DLP (Data Loss Prevention) service, an attempt is made to identify users associated with machines.  Recently, changes were implemented to the fallback method for WAM user fetching.  In hybrid join scenarios, there are instances in which a domain user cannot successfully be resolved to an AAD (Azure Active Directory) user identity and in these instances, the auto-join identity (foouser) is returned.  Microsoft is evaluating both short- and long-term solution to filter out DLP requests and alerts associated with foouser.'

Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Apr 19, 2023
Please open a ticket.

Also, run the following to show exactly which tables fooUser is showing up in:

search "fooUser"
| distinct $table
  • jasonchrist's avatar
    jasonchrist
    Copper Contributor
    Apr 20, 2023

    Rod_Trent 

     

    Hi Rod, it occurs to my organisation as well. It appears in the following table. 

     

    Most of them are in the InitiatingProcessAccountUpn field name. 

    • Peter160's avatar
      Peter160
      Copper Contributor
      Apr 20, 2023

      I spotted this today in our logs too. Had me very confused.

Resources