Forum Discussion
Defender365 Alerts for high volume file deletion
All of a sudden we're getting large volumes of alerts from Defender for unusual volume of file deletions. We seldom get these and when we do it has previously turned out to be a user clearing old fil...
Did anyone else stop getting these alerts since 11/8? Looked in our Purview portal, and the alert policy isn't there anymore.
Interesting you mention this, I sitll have a MS ticket open, they asked me to check it again, I reenabled this rule I beleive on 7th Nov, then MS asked whats the status of the rule, I went to check and I thought I was going crazy as it was not there on the 8th.
I was informed yesterday 21st Nov that it was deleted by MS, however I assumed it was just in my tenant and that was infuriating, however it seems you have the same, no rule. This is extremly frustrating that they would simply delete the rule without giving notification. These 1st line guys from MS said it wsa done because my origional issues was getting too many alerts... Jokers.
What I would say is they did come back to me before the 7th and say MS had adjusted the algorithm which was too agresive, then they changed it agian, but I only got 1 alert email between 7th and 8th.
I was also informed by on of their 1st line guys that they may soon remove this alerting rule and we would need to create one in its place manually, but I was not expecting it to be deleted straight away.
Today they said they will check why it was deleted and get it added back in
Lets see what these jokers come back with tomorrow.
I was informed yesterday 21st Nov that it was deleted by MS, however I assumed it was just in my tenant and that was infuriating, however it seems you have the same, no rule. This is extremly frustrating that they would simply delete the rule without giving notification. These 1st line guys from MS said it wsa done because my origional issues was getting too many alerts... Jokers.
What I would say is they did come back to me before the 7th and say MS had adjusted the algorithm which was too agresive, then they changed it agian, but I only got 1 alert email between 7th and 8th.
I was also informed by on of their 1st line guys that they may soon remove this alerting rule and we would need to create one in its place manually, but I was not expecting it to be deleted straight away.
Today they said they will check why it was deleted and get it added back in
Lets see what these jokers come back with tomorrow.
I was also informed my MS support that the policy is "...in the process of being deprecated based on customer feedback..." Then, I was told I can just recreate the policy myself.
Hahh, I just spotted this MC447684 which explains but tbh I dont recall being asked or giving any feedback to say I want to remove this old rule - do any of you?
It took these MS support people 6 weeks of this case being open to corrolate this. I wish they would have pointed me to this when I opened the case.
I'm 100%. Thanks Microsoft
