Forum Discussion
fooUser appearing in Sentinel device logs
- Apr 28, 2023
The backend Team at inTune is working on a fix for the issue currently. Here was the official answer of what occurred:
'This user does not represent a security threat. As part of the DLP (Data Loss Prevention) service, an attempt is made to identify users associated with machines. Recently, changes were implemented to the fallback method for WAM user fetching. In hybrid join scenarios, there are instances in which a domain user cannot successfully be resolved to an AAD (Azure Active Directory) user identity and in these instances, the auto-join identity (foouser) is returned. Microsoft is evaluating both short- and long-term solution to filter out DLP requests and alerts associated with foouser.'
Same as everyone else here. Seeing fooUser in some tables and in Defender for Cloud apps. Most will understand why this would be alarming to anyone who administers a domain. I've opened a ticket with Azure support and will report back what I learn.