Forum Discussion
Defender - Cloud Activity Logs suspicious
Hi,
I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.
1 Reply
Hey Champ14-1020
Disclaimer: I’m not familiar with Cloud PC behavior but this generally does look suspicious.
You can try pinning down what’s happening by looking at an affected device’s Timeline (+-1m) in the Defender portal around the time of these events to identify what is triggering this alert. There are some legitimate programs that perform questionable tasks. Perhaps a startup or provisioning script is being pushed out.
Even something in Advanced Hunting like:
DeviceNetworkEvents | where TimeGenerated between ( .. ) | where DeviceId == “<id>” | where RemotePort == 389 | project TimeGenerated, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccoutNamecould help identify what may be happening here.
Best regards,
Dylan
