Unusual volume of file deletion

Copper Contributor

I have recently started receiving a lot of Unusual volume of file deletion alerts that point to a users \AppData-Local,\AppData-Roaming paths, and deletions that appear to be related to application updates or clearing of caches.  I thought this alert was limited to Sharepoint or Onedrive deletions. This is an on/off policy with no ability to set path exceptions.  Just curious if I missed an announcement or something else is contributing to this increase in alerts.

2 Replies
Nah, they've been around for years, you probably haven't run into them yet. If you are using MCAS (Defender for cloud), you can disable this policy and replace it with a more robust one, if it's creating too much noise.

@VasilMichev 


Thanks for the prompt response, I will take a look.  This just seems to have started for me on November 10th. It is noisy.