Microsoft 1st Party Service generating audit activity for user. Media Analysis and Transformation Services.

Question

Is it common for "Media Analysis and Transformation Services" to generate FileAccessed events for users even though they never accessed the specific file identified in the log?

I am seeing a lot of activity where the unified audit logs to not correctly display what the user actually access.

The following UserAgents are tied to these logs as well.

ODMTADemand-Transform_Thumbnail/1.497

ODMTADocCache/1.497

According to the following response linked below, "Media Analysis and Transformation Service also has a background analysis role used to enrich document metadata and improve search recall.

https://learn.microsoft.com/en-us/answers/questions/902074/clarify-role-of-media-analysis-and-transformation

Is this possibly the reason of these false logs? If so, is there a way to identify what is a true FileAccessed event vs this background process that gets captured in the audit logs/activity logs?

Answer 1

There are many "noise" events across the service, usually Microsoft does exclude (some) first-party services after customers complain, but that's not always the case. And there's always some new service/process generating events...

Anyway, in this case this is "officially confirmed" scenario, so you can safely ignore/exclude such entries. The easiest way to identify them should be by the actor/application ID field.