Microsoft 1st Party Service generating audit activity for user. Media Analysis and Transformation Services.

Lee, Richard 0 Reputation points
2024-06-10T16:07:21.5166667+00:00

Is it common for "Media Analysis and Transformation Services" to generate FileAccessed events for users even though they never accessed the specific file identified in the log?

I am seeing a lot of activity where the unified audit logs to not correctly display what the user actually access.

The following UserAgents are tied to these logs as well.

ODMTADemand-Transform_Thumbnail/1.497

ODMTADocCache/1.497

According to the following response linked below, "Media Analysis and Transformation Service also has a background analysis role used to enrich document metadata and improve search recall.

https://learn.microsoft.com/en-us/answers/questions/902074/clarify-role-of-media-analysis-and-transformation

Is this possibly the reason of these false logs? If so, is there a way to identify what is a true FileAccessed event vs this background process that gets captured in the audit logs/activity logs?

OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
904 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,013 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
998 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 98,201 Reputation points MVP
    2024-06-10T17:29:46.3333333+00:00

    There are many "noise" events across the service, usually Microsoft does exclude (some) first-party services after customers complain, but that's not always the case. And there's always some new service/process generating events...

    Anyway, in this case this is "officially confirmed" scenario, so you can safely ignore/exclude such entries. The easiest way to identify them should be by the actor/application ID field.

    1 person found this answer helpful.