SOLVED

"Unusual volume of file deletion" Policy and Thumbs.db

%3CLINGO-SUB%20id%3D%22lingo-sub-815418%22%20slang%3D%22en-US%22%3E%22Unusual%20volume%20of%20file%20deletion%22%20Policy%20and%20Thumbs.db%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815418%22%20slang%3D%22en-US%22%3E%3CP%3EI%20enabled%20the%20%22%3CSPAN%3EUnusual%20volume%20of%20file%20deletion%22%20policy%20and%20been%20ok%20for%20several%20months.%20Yesterday%20I%20received%20over%202%20dozens%20alerts%20when%20it%20deleted%20a%20user%20%22deleting%22%20a%20bunch%20of%20%22Thumbs.db%22%20files.%26nbsp%3B%20She%20actually%20was%20not%20deleting%20files%20but%20from%20her%20statement%2C%20she%20was%20searching%20for%20images%20in%20a%20Sharepoint%20online%20site.%20Short%20story%2C%20I%20assume%20since%20Windows%20Explorer%20creates%20thumbs.db%20as%20folders%20are%20viewed%2C%20and%20when%20she%20as%20done%2C%20those%20files%20were%20deleted%20which%20prompted%20this%20alert%20(fyi%2C%20users%20sync%20SP%20libraries)%20.%26nbsp%3B%20%26nbsp%3BNot%20sure%20why%20it%20hasnt%20come%20up%20before.%26nbsp%3B%20Whatever%20the%20case%2C%20I%20was%20looking%20to%20customize%20the%20alert%20anyways.%20I%20get%20these%20all%20of%20the%20time%20as%20users%20delete%20files%20they%20intend%20to%20delete.%20So%20I%20was%20thinking%20about%20creating%20some%20exclusions.%26nbsp%3B%20For%20this%20example%2C%20the%20Thumbs.db.%26nbsp%3B%20So%20I%20created%20this%20rule.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127850i81DEFC4A4CA31F9B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20think%20this%20would%20exclude%20the%20extension%20thumbs.db%3B%20however%20when%20I%20save%20and%20look%20over%20the%20details%20it%20seems%20that%20it%20is%20setting%20the%20alert%20to%20ONLY%20look%20for%20this%20file.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127851i1275072547FFFF83%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20a%20typo%20or%20I%20am%20I%20misunderstanding%20this%20rule%20%3F%26nbsp%3B%20%26nbsp%3B%20Long%20term%2C%20I%20would%20like%20to%20have%20a%20smarter%20rule%3B%20for%20example%2C%20ignore%20users%20download%20folders%20as%20we%20use%20OneDrive%20Sync%20and%20I%20get%20quite%20a%20few%20alerts%20when%20a%20user%20deletes%20old%20downloaded%20files.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-815662%22%20slang%3D%22en-US%22%3ERe%3A%20%22Unusual%20volume%20of%20file%20deletion%22%20Policy%20and%20Thumbs.db%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815662%22%20slang%3D%22en-US%22%3E%3CP%3ELooks%20like%20a%20display%20issue.%20But%20not%20sure%20the%20rule%20will%20work%2C%20as%20it's%20expecting%20a%20file%20*extension*%2C%20not%20the%20full%20file%20name.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-815686%22%20slang%3D%22en-US%22%3ERe%3A%20%22Unusual%20volume%20of%20file%20deletion%22%20Policy%20and%20Thumbs.db%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815686%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B..%20Noticed%20the%20same%20issue%20when%20I%20created%20a%20condition%20to%20rule%20out%20a%20user%20%22%3CSPAN%3ENT%20AUTHORITY%5CSYSTEM%22%20when%20granting%20mailbox%20permissions.%20It%20too%20shows%20as%20an%20equal%20while%20I%20have%20%22User%20is%20None%20of%20These%22.%20Weird.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20for%20catching%20the%20syntax.%20I%20changed%20it%20to%20filename%20instead%20of%20extension.%20Will%20see%20if%20that%20works%20now.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMicrosoft%20seems%20to%20have%20abandoned%20these%20rules.%20I%20reported%20over%20a%20year%20ago%20certain%20criteria%20should%20not%20get%20flagged.%20For%20example%2C%20the%20granting%20permissions.%20I%20do%20not%20know%20what%20exactly%20is%20setting%20off%20the%20alert%2C%20but%20every%20week%2C%20I%20get%20at%20least%20one%20that%20%22NT%20AUTHORITY%5CSYSTEM%22%20has%20added%20permissions%20to%20a%20mailbox.%20This%20has%20been%20going%20on%20since%20they%20enabled%20alerts%20and%20yet%20to%20this%20day%2C%20I%20still%20get%20the%20alert.%26nbsp%3B%20I%20am%20hoping%20that%20adding%20the%20none%20of%20these%20to%20the%20alert%2C%20it%20will%20stop.%20I%20still%20want%20to%20know%20when%20someone%20grants%20permissions%20as%20that%20can%20be%20a%20sign%20of%20a%20hacker.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

I enabled the "Unusual volume of file deletion" policy and been ok for several months. Yesterday I received over 2 dozens alerts when it deleted a user "deleting" a bunch of "Thumbs.db" files.  She actually was not deleting files but from her statement, she was searching for images in a Sharepoint online site. Short story, I assume since Windows Explorer creates thumbs.db as folders are viewed, and when she as done, those files were deleted which prompted this alert (fyi, users sync SP libraries) .   Not sure why it hasnt come up before.  Whatever the case, I was looking to customize the alert anyways. I get these all of the time as users delete files they intend to delete. So I was thinking about creating some exclusions.  For this example, the Thumbs.db.  So I created this rule. 

clipboard_image_0.png

 

I would think this would exclude the extension thumbs.db; however when I save and look over the details it seems that it is setting the alert to ONLY look for this file. 

clipboard_image_1.png

 

Is this a typo or I am I misunderstanding this rule ?    Long term, I would like to have a smarter rule; for example, ignore users download folders as we use OneDrive Sync and I get quite a few alerts when a user deletes old downloaded files.  

2 Replies

Looks like a display issue. But not sure the rule will work, as it's expecting a file *extension*, not the full file name.

best response confirmed by Deleted
Solution

@Vasil Michev .. Noticed the same issue when I created a condition to rule out a user "NT AUTHORITY\SYSTEM" when granting mailbox permissions. It too shows as an equal while I have "User is None of These". Weird.  

 

Thanks for catching the syntax. I changed it to filename instead of extension. Will see if that works now. 

 

Microsoft seems to have abandoned these rules. I reported over a year ago certain criteria should not get flagged. For example, the granting permissions. I do not know what exactly is setting off the alert, but every week, I get at least one that "NT AUTHORITY\SYSTEM" has added permissions to a mailbox. This has been going on since they enabled alerts and yet to this day, I still get the alert.  I am hoping that adding the none of these to the alert, it will stop. I still want to know when someone grants permissions as that can be a sign of a hacker.