Forum Discussion
Defender365 Alerts for high volume file deletion
Paragon06 You're not alone, others have been getting these alerts again recently as well. I opened a support ticket about it, as this seems like the rule is obviously broken when it's alerting constantly on routine programmatic deletion of files from the local appdata folder, but the rep just insists that this is how it's supposed to work, and if I don't like it I should turn the rule off (and possibly create a replacement rule that is more targeted.) Maybe someone else will have better luck than I did at convincing them that the rule/detection is broken.
There are other threads that have been discussing this on & off issue for a while, here's one:
Re: Unusual volume of file deletion - Microsoft Tech Community
Thanks for the reply. I've worked out whats going on, but not why. So its actually reporting people as deleting files, but the people are actually using the files. Most of the alerts were for app data deletion, it turns out its just people using the apps. And the odd report where it showed a network file, once i checked with the users, they were using those files, but non were deleted.
So its very broken. I've opened a support ticket about it. I'll let you know if i get sense out of them.
- Hi
Same issue here at around the same time, just logged a call with MS now.
Ours look like a bunch of files in appdata as well as other files in users' user profile on thier AAD joined device.
Keep us posted with your progress and what the support say.
Do you guys have Defender and Complinace intergration by any chance setup/enabled?
