Oct 11 2022 03:42 AM
Hi Community, anyone have played around with the option for "in Trash" in MDCA file Policy (DLP)?
I created a detection policy for (a)
and (b)
Both detection policy resulted in the same policy matches count.
I reviewed this kb - https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters
In trash – Exclude/include files in the trash folder. These files may still be shared and pose a risk.
Would users deleted files = files that have been moved to trash?
If my result shows that the value is similar, would files retention hold policy applied for SPO and OneDrive impact the result because the files aren't really 'deleted' into the trash?
Look forward to hearing anyone else with similar experiences and how they go about reducing the number of policy matches when files are already 'trashed'. :)
Oct 11 2022 11:53 AM
Hi @jokej_outlook,
If a file has been deleted and trashed my expectation is that it would fall out of file matches and be removed from the UI in Defender for Cloud Apps.
Oct 16 2022 07:45 AM
@Keith_Fleminghave you had experience if there's retention hold in place for files stored onedrive and sharepoint online?
I am unsure if its related, it seems that file violations stayed in the detected list even after they've been deleted by users.
One work-around I had was to manually 'refresh' the files in MDCA, that seems to help, but I have 1.2mil violations and I can't 'refresh' all of them regularly from the console.
Oct 18 2022 08:43 PM
@jokej_outlook after the refresh is the file being deleted from the UI?
If you create a new file policy I would expect files in scope to be rescanned automatically without needing to refresh.
Oct 20 2022 01:51 AM
Oct 21 2022 01:51 PM
@jokej_outlook I would recommend opening up a case for this so it can be investigated. If the file is in the trash and it's deleted, I wouldn't expect it see it in the UI and matching a policy.