Forum Discussion

Paragon06's avatar
Paragon06
Copper Contributor
Sep 13, 2022

Defender365 Alerts for high volume file deletion

All of a sudden we're getting large volumes of alerts from Defender for unusual volume of file deletions. We seldom get these and when we do it has previously turned out to be a user clearing old fil...
admin
Reports
Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Sep 15, 2022

Paragon06  You're not alone, others have been getting these alerts again recently as well.  I opened a support ticket about it, as this seems like the rule is obviously broken when it's alerting constantly on routine programmatic deletion of files from the local appdata folder, but the rep just insists that this is how it's supposed to work, and if I don't like it I should turn the rule off (and possibly create a replacement rule that is more targeted.)  Maybe someone else will have better luck than I did at convincing them that the rule/detection is broken. 
There are other threads that have been discussing this on & off issue for a while, here's one: 

Re: Unusual volume of file deletion - Microsoft Tech Community

 

Paragon06's avatar
Paragon06
Copper Contributor
Sep 15, 2022

Steve Whitcher 

 

Thanks for the reply.  I've worked out whats going on, but not why. So its actually reporting people as deleting files, but the people are actually using the files.  Most of the alerts were for app data deletion, it turns out its just people using the apps.  And the odd report where it showed a network file, once i checked with the users, they were using those files, but non were deleted. 

 

So its very broken. I've opened a support ticket about it. I'll let you know if i get sense out of them. 

  • Hussayn's avatar
    Hussayn
    Copper Contributor
    Sep 22, 2022
    Hi

    Same issue here at around the same time, just logged a call with MS now.
    Ours look like a bunch of files in appdata as well as other files in users' user profile on thier AAD joined device.

    Keep us posted with your progress and what the support say.

    Do you guys have Defender and Complinace intergration by any chance setup/enabled?
    • Paragon06's avatar
      Paragon06
      Copper Contributor
      Sep 22, 2022

      Hussayn We do have defender and compliance intergration. 

       

      Our case has been passed on to a back end team but i've not heard anything in a few days. Once I do, i'll post the outcome. 

       

      Cheers

      Jamie

      • Hussayn's avatar
        Hussayn
        Copper Contributor
        Sep 23, 2022

        Paragon06 

        Thanks for sharing, the only reason I was asking is I guess this is how the compliance tool and therefore the alerting rule knows about files being 'deleted' within the users' local profiles - the Defender telemetry, plus its only something I enabled in our environment around the the time (9th Sept). I suspect you and others have had this intergration running for some time.

         

        I too was told by the first support rep after they spoke with their TL, this is how it is, just set a limit on the email notification to reduce the notification, but I pushed back and its been reassigned to someone else.


        Thanks

Resources