Multiple logged on users showing Windows Defender Security Center's agent

%3CLINGO-SUB%20id%3D%22lingo-sub-524895%22%20slang%3D%22en-US%22%3EMultiple%20logged%20on%20users%20showing%20Windows%20Defender%20Security%20Center's%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-524895%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%3CP%3EI%20am%20using%20the%20licensed%20Windows%20Defender%20Security%20Center.%3C%2FP%3E%3CP%3EWhile%20seeing%20a%20triggered%20alert%20one%20of%20machine%2C%20I%20saw%20a%20section%20-%22%3CSPAN%20class%3D%22wcd-flex-1%22%3E%3CSPAN%3ELogged%20on%20users%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22logged-on-users-time-title%22%3E(last%2030%20days)%3C%2FSPAN%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22wcd-flex-1%22%3EWhich%20is%20probably%20meaning%20that%2C%20%22Num%20of%20users%20have%20logged%20in%20a%20machine%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22wcd-flex-1%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111923i03E3C8A6B942319C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ATP.png%22%20title%3D%22ATP.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22wcd-flex-1%22%3EI%20amazed%20when%20I%20saw%20this%20much%20number%20of%20user%20logged%20on%20a%20single%20host.%20As%20I%20asked%20to%20user%20but%20he%20replied%20as%20no%2C%20he%20is%20the%20only%20who%20is%20using%20to%20login.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22wcd-flex-1%22%3ECan%20anyone%20suggest%2C%20what%20to%20investigate%20in%20this%20case%3F%20and%20why%20this%20is%20showing%20much%20count%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22wcd-flex-1%22%3E**Full%20scan%20done%20already.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-877450%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20logged%20on%20users%20showing%20Windows%20Defender%20Security%20Center's%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877450%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324783%22%20target%3D%22_blank%22%3E%40Arpit3655%3C%2FA%3E%26nbsp%3Bdid%20you%20discover%20the%20cause%3F%3CBR%20%2F%3EWe%20are%20seeing%20the%20same%20thing.%20Several%20(10%2B)%20network%20logins%20from%20users%20accounts%20that%20we%20cant%20explain.%20Happening%20on%20only%20a%20few%20of%20our%20machines.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-897882%22%20slang%3D%22en-US%22%3ERE%3A%20Multiple%20logged%20on%20users%20showing%20Windows%20Defender%20Security%20Center's%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-897882%22%20slang%3D%22en-US%22%3EMy%20organization%20is%20also%20seeing%20this.%20Nothing%20in%20the%20documentation%20explains%20this.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-996012%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20logged%20on%20users%20showing%20Windows%20Defender%20Security%20Center's%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-996012%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324783%22%20target%3D%22_blank%22%3E%40Arpit3655%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F421572%22%20target%3D%22_blank%22%3E%40bartlettdn%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EBumping%20this.%20We%20deployed%20Azure%20ATA%20to%20suck%20in%20AD%20data%20for%20more%20visibility%2C%20however%20that%20didn't%20reveal%20an%20answer.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-996781%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20logged%20on%20users%20showing%20Windows%20Defender%20Security%20Center's%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-996781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324783%22%20target%3D%22_blank%22%3E%40Arpit3655%3C%2FA%3Ecan%20you%20share%20what%20type%20of%20users%20you%20are%20seeing%3F%20I%20noticed%20this%20in%20a%20couple%20of%20machines%20but%20when%20you%20look%20at%20the%20list%20of%20users%20only%20one%20was%20human%2C%20and%20then%20I%20had%20system%20accounts%20listed%20-%20which%20kinda%20makes%20sense.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hello Team,

I am using the licensed Windows Defender Security Center.

While seeing a triggered alert one of machine, I saw a section -"Logged on users (last 30 days)"

Which is probably meaning that, "Num of users have logged in a machine".

ATP.png

I amazed when I saw this much number of user logged on a single host. As I asked to user but he replied as no, he is the only who is using to login.

Can anyone suggest, what to investigate in this case? and why this is showing much count?

**Full scan done already.

4 Replies
Highlighted

@Arpit3655 did you discover the cause?
We are seeing the same thing. Several (10+) network logins from users accounts that we cant explain. Happening on only a few of our machines.

Highlighted
My organization is also seeing this. Nothing in the documentation explains this.
Highlighted

@Arpit3655 @bartlettdn 
Bumping this. We deployed Azure ATA to suck in AD data for more visibility, however that didn't reveal an answer. 

Highlighted

@Arpit3655can you share what type of users you are seeing? I noticed this in a couple of machines but when you look at the list of users only one was human, and then I had system accounts listed - which kinda makes sense.