Deleted and Unmached files

%3CLINGO-SUB%20id%3D%22lingo-sub-2043127%22%20slang%3D%22en-US%22%3EDeleted%20and%20Unmached%20files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2043127%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20working%20with%20MCAS%20DLP%20Feature%20and%20want%20to%20know%20if%20there%20is%20any%20way%20to%20identify%20the%20alerts%20with%20deleted%20files%20or%20where%20files%20dont%20match%20the%20policy%20anymore%20%3F%20For%20example%2C%20I%20would%20like%20to%20know%20for%20a%20set%20of%20alerts%20if%20the%20user%20has%20deleted%20the%20file%20or%20changed%20the%20content..%20Thanks%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EElmo%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2043127%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059716%22%20slang%3D%22en-US%22%3ERe%3A%20Deleted%20and%20Unmached%20files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059716%22%20slang%3D%22en-US%22%3EHi%2C%20I%20would%20check%20the%20Graph%20API%20for%20MCAS%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fapi-introduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fapi-introduction%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EMaybe%20you%20find%20something%20there.%3CBR%20%2F%3E%3CBR%20%2F%3EBR%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello community,

 

We are working with MCAS DLP Feature and want to know if there is any way to identify the alerts with deleted files or where files dont match the policy anymore ? For example, I would like to know for a set of alerts if the user has deleted the file or changed the content.. Thanks in advance.

 

Regards,

Elmo

2 Replies
Hi, I would check the Graph API for MCAS: https://docs.microsoft.com/en-us/cloud-app-security/api-introduction.

Maybe you find something there.

BR

@AElmo15 Yes you can create a custom policy in MCAS for user deleting multiple files within a certain time period. In the policy, the activity type should be selected as 'FileDeleted'.