Forum Discussion
Defender365 Alerts for high volume file deletion
Thanks for the reply. I've worked out whats going on, but not why. So its actually reporting people as deleting files, but the people are actually using the files. Most of the alerts were for app data deletion, it turns out its just people using the apps. And the odd report where it showed a network file, once i checked with the users, they were using those files, but non were deleted.
So its very broken. I've opened a support ticket about it. I'll let you know if i get sense out of them.
Same issue here at around the same time, just logged a call with MS now.
Ours look like a bunch of files in appdata as well as other files in users' user profile on thier AAD joined device.
Keep us posted with your progress and what the support say.
Do you guys have Defender and Complinace intergration by any chance setup/enabled?
Hussayn We do have defender and compliance intergration.
Our case has been passed on to a back end team but i've not heard anything in a few days. Once I do, i'll post the outcome.
Cheers
Jamie
Thanks for sharing, the only reason I was asking is I guess this is how the compliance tool and therefore the alerting rule knows about files being 'deleted' within the users' local profiles - the Defender telemetry, plus its only something I enabled in our environment around the the time (9th Sept). I suspect you and others have had this intergration running for some time.
I too was told by the first support rep after they spoke with their TL, this is how it is, just set a limit on the email notification to reduce the notification, but I pushed back and its been reassigned to someone else.
Thanks- We enabled the Intune profile Intune data collection policy / Device Configuration Profiles - Windows health monitoring and set Health monitoring Enable / Scope Endpoint analytics. It looks like this is triggering the same behavior with Inet and Windows search cache being deleted.
