Unusual volume of file deletion

Copper Contributor

Our company is starting to get alot of alerts regarding 'Unusual volume of file deletion'. It seems like every deletion path is c\users\appdata\local or  c\users\appdata\local

As we investigate, the deletion of files is happening when we are off work or early in the morning. 

10 Replies

@Sebastianrhenriksen12 

 

We have also seen this behavior. Ours started in early February. Right now, I see no indication that this is anything other than normal system behavior. Hoping someone can help us confirm.

I've just started seeing these come up in my environment recently. While I could definitely see a malicious actor deleting temp files from the user profile to hide it's tracks, I can't help but wonder if these might just be a new monitor that is a little overzealous. The fact that I'm seeing posts from others who got these alerts as far back as november though has me wondering what changed that they're suddenly happening here.
Since my last post, these alerts have only increased. I have received over 30 of these messages in past ~3 hours. It's getting ridiculous. Has anyone found a solution to adjust the sensitivity on these?
I have this same scenario, I received 190 alerts of this type, I analyzed most of them and they all point to the appdata folder, I realized that they are false positives, I will close the incidents on the defender portal with the false positive information, now I need to wait if I will still receive this large mass of incidents of this type
We've just started receiving hundreds of these alerts too, starting on September 6, I just had to turn this alert policy completely off.
Yeah, I started getting these again this morning, and have received 18 alert emails in the past 4 hours.
This is insane, the amount of false positives blowing up my mailbox. Has anyone made a custom alert for this that excludes the file path? I cannot seem to figure out how to add a path with wildcard for userprofile as an exception.
I contacted support, but the person handling my ticket insists that this is working as intended. That's obviously not the case, but I couldn't get him to even consider the possibility that something is broken. I suggest others having this issue open tickets for it as well, hopefully someone will get a better result.
Yup, I will do the same because this is ridiculous to get these amount of alerts from the AppData folder. There should be an exclusion option for acceptable risk.
any new updates for this?
It happens in endpoint, and this is weird.