What's MSWAC user Agent in Office 365 Audit logs?

I see a lot of file accesses via my account in Office 365 audit logs (under Security & Compliance Center) which were not initiated by me. They seem to be coming from Microsoft owned IP addresses in San Antonio - Texas and Des Moines - Iowa. The common user agent for these accesses is MSWAC. Not sure what that agent is for and why is it using my account to access files which I didn't access myself? Is it because Delve thinks I may be interested in such documents?

Anyone know what could be going on for sure so we can rule out a security attack.

 
 

Question Info


Last updated June 28, 2019 Views 2,984 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi RahulKapoor,

The MSWAC user Agent refers to Office Online. The possible scenario is that users use Office Online services to access their files.

Regards,
Allan

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi RahulKapoor,

Have you referred to the information above? Do you need further assistance?

Regards,
Allan

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

As I said I did not initiate access to the docs that are in my audit logs - Delve may be but it should not be using my account.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi RahulKapoor,

 

For “I did not initiate access to the docs that are in my audit logs”, do you mean you did not open these files whether from the document library or from the Office Online apps from the app launcher?

 

In addition, could you also provide us with some more detailed information about “Delve may be but it should not be using my account”?

 

Regards,

Allan

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Yes obviously I didn't open any of the documents through Office Online or app launcher or any other means but they are still in the Audit logs hence the concern. I noticed on my Delve profile that some of the docs in the audit logs are shown as "Popular Documents" which others in the company are working on but I did not click on them or access them. If Delve is accessing them on my behalf it should use a system account and they shouldn't show up as accessed by my account in the Audit logs. Having so much spurious content in the audit logs defeats the purpose of auditing.

BTW I also tried to change my password and within a few seconds the Audit log was full of entries about my account accessing documents that I'm not even aware of exist. So its definitely some Microsoft process doing something unexpected in the back.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Is there an update to this question?  I have noticed the same issue.  Why is user agent MSWAC accessing files with my username that i have not opened?  

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi 365 User,

 

The user agent in the audit log is provided by the client or browser. When a file in the SharePoint Online site or your OneDrive for Business is opened in the browser with your account, you may see the user agent: MSWAC.

 

You may edit or open a file in the browser with your Office 365 work or school account, and then get the audit logs to see the details. You may refer to the following article view the logs:

Detailed properties in the Office 365 audit log

 

Thanks,
Felix

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

That is helpful, but the concern is the log showing several occurrences of Accessed File (with a Microsoft IP address) and FilePreview (with my own IP address) by my userID, all with the same date and time.  I did not perform these actions.  Is there some background process or something i may have clicked that creates these events?

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

"Felix Tao MSFT" if you review the thread you will see that it has been clarified multiple times that I (user whose account shows in the log) did not access or open the files reported in the logs in any way. It is most likely a Delve bug where it basically determines files I may be interested in and shows them on the Delve page and they end up in the logs WITHOUT my opening them. This issue should be escalated to the Delve team, the fix to use a system account for such file list creation or trimming of Delve identified (but not accessed) files from the logs should be trivial. Delve is supposedly Satya Nadella's favorite feature which I find totally useless and it is actually hampering our use of SharePoint Security by cluttering the log with all these bogus entries - so maybe drop him a line as well ...

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi All,

 

Thanks for your update.

 

We need your tenant information, so we can involve the related team to look into this. As this information involves PII, I will move this conversation to Private message to obtain such details. You can access it via this URL: https://answers.microsoft.com/en-us/privatemessages/list

 

Thanks,

Sky

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.