Forum Discussion
Solved
fooUser appearing in Sentinel device logs
Hi, I noticed from an alert in MS Security Center there is an account called fooUser@<domain> that seems to do a lot of client operations outside of what I understand the account is for, which is In...
The backend Team at inTune is working on a fix for the issue currently. Here was the official answer of what occurred:
'This user does not represent a security threat. As part of the DLP (Data Loss Prevention) service, an attempt is made to identify users associated with machines. Recently, changes were implemented to the fallback method for WAM user fetching. In hybrid join scenarios, there are instances in which a domain user cannot successfully be resolved to an AAD (Azure Active Directory) user identity and in these instances, the auto-join identity (foouser) is returned. Microsoft is evaluating both short- and long-term solution to filter out DLP requests and alerts associated with foouser.'
Do we know if this fix has been released yet as we are still seeing alerts in MCAS (MS Defender for Cloud Apps) for foouser seeing uploading/downloading, but no idea as to exactly who the users really is.
- We are still seeing it, and still have a ticket open for it. It depends on the table, but you may find the actual user in another field for the same event, i.e., username may be right while the UPN is wrong.
Microsoft's response of "does not represent a security threat" may be true, but is doesn't stop this being a security risk for alerts we can't attribute, or alerts that aren't firing at all because of the broken relationship between tables.
