User Profile
OJA
Copper Contributor
Joined Sep 13, 2019
User Widgets
Recent Discussions
Re: fooUser appearing in Sentinel device logs
Yes, spot on. It looks a lot like impersonation which makes it quite alarming. It's also frustrating when support reps don't seem to immediately grasp the concern. One would think they would know the Windows ecosystem well enough to understand that this type of sudden appearance of an obscure account name should trigger immediate escalation. Even though the name is used in certain Intune processes, that's definitely not what it is mostly known for. Good catch with the 128 devices, I see the exact same thing. I noticed that when I opened a file on a computer, fooUser would show up in events for creating the link to the file in the "Recent files" section in Explorer and similar actions that the system performs behind the scenes during such user activites.20KViews2likes0CommentsfooUser appearing in Sentinel device logs
Hi, I noticed from an alert in MS Security Center there is an account called fooUser@<domain> that seems to do a lot of client operations outside of what I understand the account is for, which is Intune enrollment in Autopilot. https://call4cloud.nl/2022/09/foouser-meets-the-cosmic-autopilot-user/ But I'm seeing process creations, file creations etc.. This started the 11th of April on a single device and has since escalated to over a hundred. The first device was actually in an Autopilot process when the events started to get logged, but now there are a lot of machines that have been active for a long time where the logs are coming in from as well. The following query is what I used to find the events in Advanced hunting: search in (DeviceEvents,DeviceFileCertificateInfo,DeviceFileEvents,DeviceImageLoadEvents,DeviceInfo,DeviceLogonEvents,DeviceNetworkEvents,DeviceNetworkInfo,DeviceProcessEvents,DeviceRegistryEvents) "fooUser" | sort by TimeGenerated asc Do anyone else see this behavior?SolvedAzure Monitor - Centralized or per-subscription
Hi, I'm looking into cleaning up log analytics/app insights etc. for our subscriptions, and I want to configure Azure Monitor (preferably with policies). We have a few subscriptions each for prod, dev/test and QA environments. I'm not sure whether it would be better to create a separate subscription only to host Azure Monitor for all subscriptions, or if we should have a workspace in each subscription requiring monitoring. What would be the pros and cons for each approach? Is cross-subscription monitoring supported for all workloads, or would some require a Monitor workspace in it's home subscription?Solved4.7KViews0likes3CommentsRe: Office, and potentially other apps, can launch other apps ... like a browser
Abel Espino I agree. If you have Office on your session hosts, Teams will also pop up every time you start any remoteapp, if you havent hacked the installer or made GPOs to prevent Teams from starting in the first place. And yes, they are hacks, because it should have been much easier to set global settings for Teams in the installer (and not having to spend an hour reading about different approaches and hundreds of people scratching their heads). Its like adware, just shows up whether you want it to or not. And when I start a completely different remoteapp, and Teams is not published, I dont expect Teams to start. This disallows using the same session hosts for remote desktop and remoteapps, so we need to have more host pools and application groups so we can make these hacked versions behave like we want them to. And I agree, for those of us who don't have much experience dealing with RDS or TS, we don't really expect having to read about all the dark corners of the old system, when dealing with what is presented as the new cloud based first class citizen solution.2.9KViews0likes0Comments
Recent Blog Articles
No content to show