Confirmation of when Defender/Defender ATP deletes files

%3CLINGO-SUB%20id%3D%22lingo-sub-1585870%22%20slang%3D%22en-US%22%3EConfirmation%20of%20when%20Defender%2FDefender%20ATP%20deletes%20files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20fairly%20new%20to%20Defender%20ATP%2C%20and%20one%20of%20the%20things%20that%20is%20particularly%20frustrating%20at%20the%20moment%20is%20that%20it%20is%20unclear%20from%20the%20securitycenter.microsoft.com%20portal%20when%20evidence%20in%20a%20particular%20alert%20or%20incident%20has%20been%20deleted%2C%20and%20when%20it%20has%20just%20been%20prevented%20from%20running.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20that%20in%20some%20cases%2C%20the%20files%20are%20deleted%2C%20but%20there%20isn't%20any%20clear%20indication%20in%20the%20portal%20on%20when%20this%20happens.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20get%20A%20LOT%20of%20unwanted%20software%20tickets%2C%20and%20it%20would%20be%20significantly%20easier%20to%20process%20incidents%20if%20we%20could%20easily%20see%20when%20offending%20files%20have%20been%20deleted%2C%20or%20when%20we%20need%20to%20do%20this%20ourselves.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20exists%20and%20I'm%20just%20missing%20it%2C%20I'd%20love%20to%20be%20pointed%20to%20where%20I%20can%20find%20this%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi All,

 

We're fairly new to Defender ATP, and one of the things that is particularly frustrating at the moment is that it is unclear from the securitycenter.microsoft.com portal when evidence in a particular alert or incident has been deleted, and when it has just been prevented from running.

 

I know that in some cases, the files are deleted, but there isn't any clear indication in the portal on when this happens. 

 

We get A LOT of unwanted software tickets, and it would be significantly easier to process incidents if we could easily see when offending files have been deleted, or when we need to do this ourselves.

 

If this exists and I'm just missing it, I'd love to be pointed to where I can find this information.

 

Thanks,

Alex

0 Replies