Unusual volume file deletion alert office 365 not showing in cloud app

%3CLINGO-SUB%20id%3D%22lingo-sub-1092145%22%20slang%3D%22en-US%22%3EUnusual%20volume%20file%20deletion%20alert%20office%20365%20not%20showing%20in%20cloud%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1092145%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20guys%2C%3C%2FP%3E%3CP%3EI%20just%20have%20a%20quick%20question%2C%20we%20receive%20several%20mails%20from%20o365%20about%20a%20user%20triggering%20the%20unusual%20volume%20of%20file%20deletion%2C%20however%20we%20don't%20see%20any%20warning%20in%20cloudapp%20security.%20Even%20tough%20we%20linked%20the%20app%20connector%2C%20and%20we%20actually%20see%20in%20the%20activity%20log%20the%20file%20deletions.%26nbsp%3B%20So%20why%20is%20cloudapp%20not%20giving%20any%20error%20on%20this%2C%20or%20i%20still%20need%20to%20do%20anything%20else%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20already.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Egreetings%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1092145%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103696%22%20slang%3D%22en-US%22%3ERe%3A%20Unusual%20volume%20file%20deletion%20alert%20office%20365%20not%20showing%20in%20cloud%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103696%22%20slang%3D%22en-US%22%3E%3CP%3EI%20dont%20have%20an%20answer%20but%20didn't%20even%20know%20this%20feature%20was%20available.%3C%2FP%3E%3CP%3EKeen%20to%20see%20if%20can%20be%20done%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1104301%22%20slang%3D%22en-US%22%3ERe%3A%20Unusual%20volume%20file%20deletion%20alert%20office%20365%20not%20showing%20in%20cloud%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1104301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F184539%22%20target%3D%22_blank%22%3E%40Wesley%20Baeyens%3C%2FA%3E%26nbsp%3Bthe%20detections%20in%20O365%20and%20Cloud%20App%20Security%20are%20not%20the%20same%20and%20do%20not%20have%20the%20same%20logic.%3C%2FP%3E%0A%3CP%3EThe%20one%20in%20MCAS%20will%20take%20into%20account%20more%20criterias%2C%20like%20the%20location%20that%20was%20used%20by%20the%20user%20to%20perform%20the%20downloads.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1482963%22%20slang%3D%22en-US%22%3ERe%3A%20Unusual%20volume%20file%20deletion%20alert%20office%20365%20not%20showing%20in%20cloud%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1482963%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20the%20same%20situation.%20Is%20there%20any%20documentation%20about%20the%20logic%20of%20the%20mentioned%20alerts%3F%20Do%20you%20have%20any%20guidance%20for%20the%20coexistence%20of%20S%26amp%3BC%20alert%20policies%20and%20MCAS%20anomaly%20detections%3F%20Should%20we%20disable%20the%20S%26amp%3BC%20Alerts%20because%20the%20MCAS%20policies%20are%20more%20accurate%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hey guys,

I just have a quick question, we receive several mails from o365 about a user triggering the unusual volume of file deletion, however we don't see any warning in cloudapp security. Even tough we linked the app connector, and we actually see in the activity log the file deletions.  So why is cloudapp not giving any error on this, or i still need to do anything else? 

 

thanks already.

 

greetings

3 Replies

I dont have an answer but didn't even know this feature was available.

Keen to see if can be done

@Wesley Baeyens the detections in O365 and Cloud App Security are not the same and do not have the same logic.

The one in MCAS will take into account more criterias, like the location that was used by the user to perform the downloads.

 

Best regards

@Sebastien Molendijk 

We have the same situation. Is there any documentation about the logic of the mentioned alerts? Do you have any guidance for the coexistence of S&C alert policies and MCAS anomaly detections? Should we disable the S&C Alerts because the MCAS policies are more accurate?

 

Thanks for your help!