Forum Discussion
OJA
Apr 19, 2023Copper Contributor
fooUser appearing in Sentinel device logs
Hi, I noticed from an alert in MS Security Center there is an account called fooUser@<domain> that seems to do a lot of client operations outside of what I understand the account is for, which is In...
- Apr 28, 2023
The backend Team at inTune is working on a fix for the issue currently. Here was the official answer of what occurred:
'This user does not represent a security threat. As part of the DLP (Data Loss Prevention) service, an attempt is made to identify users associated with machines. Recently, changes were implemented to the fallback method for WAM user fetching. In hybrid join scenarios, there are instances in which a domain user cannot successfully be resolved to an AAD (Azure Active Directory) user identity and in these instances, the auto-join identity (foouser) is returned. Microsoft is evaluating both short- and long-term solution to filter out DLP requests and alerts associated with foouser.'
TechNashville
Apr 26, 2023Brass Contributor
Hello. Just a bit of an update to those other worry warts out there. This is definitely NOT a security issue. I did some preliminary troubleshooting with the Defender Team and I do not fully understand the whole issue as of yet, but the fooUser is a part of the Intune MDM enrollment process. If you take a look at this doc, you will see the fooUser mentioned. https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-understanding-auto-enrollment-in-a-co-managed/ba-p/834780 We also found fooUser in my registry. I am planning to jump back into it with the Defender Team tomorrow to see if we can get that username to not show up in the data somehow.
- Rod_TrentApr 26, 2023
Microsoft
Excellent blog here, too: https://call4cloud.nl/2022/09/foouser-meets-the-cosmic-autopilot-user/