cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

"Unusual volume of file deletion" Policy and Thumbs.db

Jeff Harlow
Iron Contributor

‎Aug 21 2019 08:39 AM - edited ‎Aug 21 2019 08:40 AM

‎Aug 21 2019 08:39 AM - edited ‎Aug 21 2019 08:40 AM

"Unusual volume of file deletion" Policy and Thumbs.db

I enabled the "Unusual volume of file deletion" policy and been ok for several months. Yesterday I received over 2 dozens alerts when it deleted a user "deleting" a bunch of "Thumbs.db" files.  She actually was not deleting files but from her statement, she was searching for images in a Sharepoint online site. Short story, I assume since Windows Explorer creates thumbs.db as folders are viewed, and when she as done, those files were deleted which prompted this alert (fyi, users sync SP libraries) .   Not sure why it hasnt come up before.  Whatever the case, I was looking to customize the alert anyways. I get these all of the time as users delete files they intend to delete. So I was thinking about creating some exclusions.  For this example, the Thumbs.db.  So I created this rule. 

clipboard_image_0.png

 

I would think this would exclude the extension thumbs.db; however when I save and look over the details it seems that it is setting the alert to ONLY look for this file. 

clipboard_image_1.png

 

Is this a typo or I am I misunderstanding this rule ?    Long term, I would like to have a smarter rule; for example, ignore users download folders as we use OneDrive Sync and I get quite a few alerts when a user deletes old downloaded files.  

10.2K Views
0 Likes
2 Replies
Reply
2 Replies
Vasil Michev

‎Aug 21 2019 10:58 AM

‎Aug 21 2019 10:58 AM

Re: "Unusual volume of file deletion" Policy and Thumbs.db

Looks like a display issue. But not sure the rule will work, as it's expecting a file *extension*, not the full file name.

0 Likes
Reply
best response confirmed by Deleted
Jeff Harlow

‎Aug 21 2019 11:05 AM

‎Aug 21 2019 11:05 AM

Solution

Re: "Unusual volume of file deletion" Policy and Thumbs.db

@Vasil Michev .. Noticed the same issue when I created a condition to rule out a user "NT AUTHORITY\SYSTEM" when granting mailbox permissions. It too shows as an equal while I have "User is None of These". Weird.  

 

Thanks for catching the syntax. I changed it to filename instead of extension. Will see if that works now. 

 

Microsoft seems to have abandoned these rules. I reported over a year ago certain criteria should not get flagged. For example, the granting permissions. I do not know what exactly is setting off the alert, but every week, I get at least one that "NT AUTHORITY\SYSTEM" has added permissions to a mailbox. This has been going on since they enabled alerts and yet to this day, I still get the alert.  I am hoping that adding the none of these to the alert, it will stop. I still want to know when someone grants permissions as that can be a sign of a hacker. 

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Deleted
Jeff Harlow

‎Aug 21 2019 11:05 AM

‎Aug 21 2019 11:05 AM

Solution

Re: "Unusual volume of file deletion" Policy and Thumbs.db

@Vasil Michev .. Noticed the same issue when I created a condition to rule out a user "NT AUTHORITY\SYSTEM" when granting mailbox permissions. It too shows as an equal while I have "User is None of These". Weird.  

 

Thanks for catching the syntax. I changed it to filename instead of extension. Will see if that works now. 

 

Microsoft seems to have abandoned these rules. I reported over a year ago certain criteria should not get flagged. For example, the granting permissions. I do not know what exactly is setting off the alert, but every week, I get at least one that "NT AUTHORITY\SYSTEM" has added permissions to a mailbox. This has been going on since they enabled alerts and yet to this day, I still get the alert.  I am hoping that adding the none of these to the alert, it will stop. I still want to know when someone grants permissions as that can be a sign of a hacker. 

 

View solution in original post

0 Likes
Reply