Jan 13 2021 09:58 AM
I've setup a File Policy inside MCAS that uses the Data Classification Service Inspection Method to look for files that contain things like SSN, CCN, etc.
I've setup the filter to only target a couple of folders for now while I test.
When I first enabled this policy, it was able to accurately detect the existing files with the data I was looking for. However, I've since added new files to the folder with the same sensitive data and also modified files to add sensitive data to verify that these are also identified in MCAS. I found that the new files are actually not being picked up at all in MCAS.
When I just search inside of "Files" under "Investigate" I don't see my new or modified files. I verified that the O365 connector is still active and that new events are coming through on most files.
It just seems like there is a delay in when new or modified files are available in MCAS. I've waited 2 days, but the files still do not show.
Interestingly, I can see these files being logged when I used the O365 Compliance Center Content Explorer feature, which allows me to search for any sensitive data. So it pulls in the admin center, but not in MCAS.
Is it normal behavior to have a couple of days delay in new or modified files being registered in MCAS? Is there any way to improve this? I fear that with this long of a delay, malicious actions could be taken on a file that I would have no insight on in MCAS.
Jan 26 2021 10:52 AM