Forum Discussion

OJA's avatar
OJA
Copper Contributor
Apr 19, 2023
Solved

fooUser appearing in Sentinel device logs

Hi, I noticed from an alert in MS Security Center there is an account called fooUser@<domain> that seems to do a lot of client operations outside of what I understand the account is for, which is In...
alerts
analytics
microsoft defender for endpoint
threat hunting
  • TechNashville's avatar
    TechNashville
    Apr 28, 2023

    The backend Team at inTune is working on a fix for the issue currently. Here was the official answer of what occurred:

     

    'This user does not represent a security threat.  As part of the DLP (Data Loss Prevention) service, an attempt is made to identify users associated with machines.  Recently, changes were implemented to the fallback method for WAM user fetching.  In hybrid join scenarios, there are instances in which a domain user cannot successfully be resolved to an AAD (Azure Active Directory) user identity and in these instances, the auto-join identity (foouser) is returned.  Microsoft is evaluating both short- and long-term solution to filter out DLP requests and alerts associated with foouser.'

Brok3NSpear's avatar
Brok3NSpear
Brass Contributor
Apr 27, 2023

OJA 

 

Have a support ticket open with MS for this also.

Some things that I was concerned with was the huge amount of data seen in use by the foouser account across over 500+ apps seen in Defender for Cloud Apps (MCAS)

Example, why is foouser account seen to be using (upload and download) for Gmail if it's just used for Intune enrollment? How can we determine which actual user is involved in certain activity when MCAS just shows the foouser account?

If we ever did have a major incident and the foouser UPN account was being shown in the logs instead of the actual users UPN (as we are currently seeing at times) wouldn't this be a big issue in regards to collecting forensic investigation logs in regards to the actual user, as all we can see is the foouser instead. This would also be a great way for a bad actor to hide their tracks, by hiding in plain sight. It's that part that concerns me, especially when thinking about potential data exfiltration.

I can also see that it is seen on 128 devices (never more) but less at the W/E (potentially where users machines are off) - what is significant about the number 128 as we have way more Intune enrolled machines that that, so would have expected this to be seen on all devices?

It shows in 11 tables for us when checking Rod_Trent  query:

search "fooUser"
| distinct $table


Glad this is getting some traction though from MS

Resources