Microsoft 1st Party Service generating audit activity for user. Media Analysis and Transformation Services.

Lee, Richard 0 Reputation points

Is it common for "Media Analysis and Transformation Services" to generate FileAccessed events for users even though they never accessed the specific file identified in the log?

I am seeing a lot of activity where the unified audit logs to not correctly display what the user actually access.

The following UserAgents are tied to these logs as well.



According to the following response linked below, "Media Analysis and Transformation Service also has a background analysis role used to enrich document metadata and improve search recall.

Is this possibly the reason of these false logs? If so, is there a way to identify what is a true FileAccessed event vs this background process that gets captured in the audit logs/activity logs?

A Microsoft file hosting and synchronization service.
904 questions
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,013 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
998 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 98,201 Reputation points MVP

    There are many "noise" events across the service, usually Microsoft does exclude (some) first-party services after customers complain, but that's not always the case. And there's always some new service/process generating events...

    Anyway, in this case this is "officially confirmed" scenario, so you can safely ignore/exclude such entries. The easiest way to identify them should be by the actor/application ID field.

    1 person found this answer helpful.