if you’re digging into Cloud App logs, Sentinel or even log analytics logs, probably you’ll realize that there are some activities done by an account named “app@sharepoint”.
Coming from the worlds of SharePoint OnPrem, my first reaction was… what is this? but then, I feel curious about that account and I started to dig in for some more detail. So you can follow the same steps as I did:
First, in your log analytics query, type the following:
So… what we can extract from this information? that app@sharepoint is an account used a service principal for SharePoint operations (and yes for teams, OneDrive as well).
Now, we have solved a little mistery and you can go on and whitelist the acoount if you think it’s necessary to not to make more noise in your logs
till next time!
Albandrod's Memory 