SOLVED

Is there any way to detect mass file deletion in Sharepoint in Office 365?

Regular Contributor

We extensively use Teams and all of our files are there, supported by Sharepoint. Is there any way to detect a mass file deletion so it can be investigated?

 

Scenarios:

  • Person has sync'd a library to their hard drive via ODfB and they whack a folder structure, intentionally or unintentionally, but not realizing that it will remove it from the cloud.
  • Disgruntled employee whacks a folder or series of folders.

I know the data will be retained in the recycle bin for 93 days, but then it will vanish. If the folder(s) removed are not currently used, say 2016 financial documents, you might not notice for 2 years, but then the IRS comes knocking for an audit and your files are gone!

I'd like to be able to be alerted to or proactively monitor mass deletions to review and ensure it is valid.

6 Replies
best response confirmed by Ed Hansberry (Regular Contributor)
Solution

Did you see these announcements, which is a step in the right direction for this sort of thing but not exactly what you're after.

 

"OneDrive scans files on download for known threats, provides file versioning for all file types, and sends notifications if a mass file deletion is detected."

 

Great if this could be brought to libraries, where mass anomalies are flagged to admins.   

 

Saying all that, check out Office 365 Cloud App Security, which has Anomaly detection policies like 'unusual file deletion activity' that can alert on suspicious activities.  This comes at an additional cost unless using E5.

As mentioned above, CAS is the tool that you will want to help solve that problem, along with many others. 

Thanks. I had seen the OneDrive announcement, but I believe that is just for OneDrive for Business (and personal) but not Sharepoint libraries sync'd via the ODfB client.

I had not seen the Cloud App Security link, and that does look interesting. I will check it out.

Have a look at the Microsoft 365 roadmap, Feature ID: 31754
SharePoint and OneDrive: mass delete notification

 

Well, it is a start, but....

 

To help raise awareness of possible uncommon or accidental file deletions (based on a 'higher than usual' number of deleted files per hour), people will be notified if a large number of files are deleted. For OneDrive, if a large number of files are deleted from a person's OneDrive, that person - the *owner* - will be sent an email notification letting them know about it and pointing them to the Recycle Bin in case they want to restore. For SharePoint team sites, if a large number of files are deleted, the *person that deleted them* (site owner or member) will be sent an email notification letting them know about it and pointing them to the Recycle Bin in case they want to restore. Each email notification will include an unsubscribe link at the bottom for those that wish to opt out of this type of notification.

 

I'd like an admin to be notified of a large number of sharepoint file deletions, not the disgruntled employee that is whacking a bunch of stuff.