FileDeleted

%3CLINGO-SUB%20id%3D%22lingo-sub-1997764%22%20slang%3D%22en-US%22%3EFileDeleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1997764%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20see%20a%20bunch%20of%20file%20deleted%20activities%20in%20the%20activity%20log%20and%20they%20kind%20of%20pile%20up%20and%20making%20it%20hard%20to%20filter%20out.%26nbsp%3B%20These%20are%20even%20at%20times%20when%20users%20are%20not%20on%20their%20workstations%20so%20it%20must%20be%20something%20the%20OS%20is%20doing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20included%20a%20screenshot%20of%20how%20they%20show%20up%20in%20MCAS.%26nbsp%3B%20Also%20below%20is%20the%20raw%20data%20minus%20some%20personal%20info.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22OrganizationId%22%3A%20%22ORGID%22%2C%3CBR%20%2F%3E%22CreationTime%22%3A%20%222020-12-17T13%3A15%3A37.0000000Z%22%2C%3CBR%20%2F%3E%22RecordType%22%3A%2063%2C%3CBR%20%2F%3E%22Operation%22%3A%20%22FileDeleted%22%2C%3CBR%20%2F%3E%22UserType%22%3A%200%2C%3CBR%20%2F%3E%22Workload%22%3A%20%22Endpoint%22%2C%3CBR%20%2F%3E%22ClientIP%22%3A%20%22MYIP%22%2C%3CBR%20%2F%3E%22UserKey%22%3A%20%22MYEMAIL%40MYDOMAIN.COM%22%2C%3CBR%20%2F%3E%22Version%22%3A%201%2C%3CBR%20%2F%3E%22UserId%22%3A%20%22MYEMAIL%40MYDOMAIN.COM%22%2C%3CBR%20%2F%3E%22ObjectId%22%3A%20%22C%3A%5C%5CUsers%5C%5CMYDEVICE%5C%5CAppData%5C%5CLocal%5C%5CPackages%5C%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5C%5CLocalState%5C%5CConstraintIndex%5C%5CApps_%7B84296cf9-e999-4161-8bbe-3a5192034643%7D%5C%5C0.2.filtertrie.intermediate.txt%22%2C%3CBR%20%2F%3E%22Id%22%3A%20%22ID%22%2C%3CBR%20%2F%3E%22SourceLocationType%22%3A%201%2C%3CBR%20%2F%3E%22MDATPDeviceId%22%3A%20%2273bfc51f276dea70fc65542fb64b662691%22%2C%3CBR%20%2F%3E%22FileType%22%3A%20%22TEXT%22%2C%3CBR%20%2F%3E%22FileExtension%22%3A%20%22txt%22%2C%3CBR%20%2F%3E%22Application%22%3A%20%22RuntimeBroker.exe%22%2C%3CBR%20%2F%3E%22DeviceName%22%3A%20%22MYDEVICE%22%2C%3CBR%20%2F%3E%22FileSize%22%3A%200%2C%3CBR%20%2F%3E%22Platform%22%3A%201%2C%3CBR%20%2F%3E%22Hidden%22%3A%20false%2C%3CBR%20%2F%3E%22Scope%22%3A%201%3CBR%20%2F%3E%7D%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1997764%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1999068%22%20slang%3D%22en-US%22%3ERe%3A%20FileDeleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1999068%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F120502%22%20target%3D%22_blank%22%3E%40Michael%20Platt%3C%2FA%3E%26nbsp%3Bjust%20replying%20here%20to%20follow%20the%20thread%2C%20but%20don't%20have%20a%20straight%20answer.%3C%2FP%3E%3CP%3EI%20guess%20this%20is%20by%20design%20when%20you%20do%20MCAS%20and%20MDATP%20integration.%20Do%20you%20have%20policies%20for%20massive%20file%20deletion%3F%26nbsp%3B%20Might%20want%20to%20tweak%20that%20a%20little%2C%20because%20I%20don't%20think%20you%20can%20do%20anything%20about%20the%20audit%20data.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We see a bunch of file deleted activities in the activity log and they kind of pile up and making it hard to filter out.  These are even at times when users are not on their workstations so it must be something the OS is doing.

 

I've included a screenshot of how they show up in MCAS.  Also below is the raw data minus some personal info.

 

{
"OrganizationId": "ORGID",
"CreationTime": "2020-12-17T13:15:37.0000000Z",
"RecordType": 63,
"Operation": "FileDeleted",
"UserType": 0,
"Workload": "Endpoint",
"ClientIP": "MYIP",
"UserKey": "MYEMAIL@MYDOMAIN.COM",
"Version": 1,
"UserId": "MYEMAIL@MYDOMAIN.COM",
"ObjectId": "C:\\Users\\MYDEVICE\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{84296cf9-e999-4161-8bbe-3a5192034643}\\0.2.filtertrie.intermediate.txt",
"Id": "ID",
"SourceLocationType": 1,
"MDATPDeviceId": "73bfc51f276dea70fc65542fb64b662691",
"FileType": "TEXT",
"FileExtension": "txt",
"Application": "RuntimeBroker.exe",
"DeviceName": "MYDEVICE",
"FileSize": 0,
"Platform": 1,
"Hidden": false,
"Scope": 1

 

1 Reply

@Michael Platt just replying here to follow the thread, but don't have a straight answer.

I guess this is by design when you do MCAS and MDATP integration. Do you have policies for massive file deletion?  Might want to tweak that a little, because I don't think you can do anything about the audit data.