ArcGIS portal logs an instance of "whoami.exe" in the security event log every minute or so. Security team are picking up on this as unusual activity. Is this normal behaviour by design and if so what is its purpose ?
That is by design, and it happens because Portal is checking that the ArcGIS Process owner can read / write to the required directories (db, temp, content, index).
