Apr 10 2018 08:42 AM
Apr 10 2018 08:42 AM
We extensively use Teams and all of our files are there, supported by Sharepoint. Is there any way to detect a mass file deletion so it can be investigated?
I know the data will be retained in the recycle bin for 93 days, but then it will vanish. If the folder(s) removed are not currently used, say 2016 financial documents, you might not notice for 2 years, but then the IRS comes knocking for an audit and your files are gone!
I'd like to be able to be alerted to or proactively monitor mass deletions to review and ensure it is valid.
Apr 10 2018 09:45 AM - edited Apr 10 2018 09:59 AMSolution
Did you see these announcements, which is a step in the right direction for this sort of thing but not exactly what you're after.
"OneDrive scans files on download for known threats, provides file versioning for all file types, and sends notifications if a mass file deletion is detected."
Great if this could be brought to libraries, where mass anomalies are flagged to admins.
Saying all that, check out Office 365 Cloud App Security, which has Anomaly detection policies like 'unusual file deletion activity' that can alert on suspicious activities. This comes at an additional cost unless using E5.
Apr 10 2018 11:07 AM
As mentioned above, CAS is the tool that you will want to help solve that problem, along with many others.
Apr 11 2018 02:37 PM
Thanks. I had seen the OneDrive announcement, but I believe that is just for OneDrive for Business (and personal) but not Sharepoint libraries sync'd via the ODfB client.
I had not seen the Cloud App Security link, and that does look interesting. I will check it out.
Aug 30 2018 02:01 AM
Have a look at the Microsoft 365 roadmap, Feature ID: 31754
SharePoint and OneDrive: mass delete notification
Aug 30 2018 09:01 AM
Well, it is a start, but....
To help raise awareness of possible uncommon or accidental file deletions (based on a 'higher than usual' number of deleted files per hour), people will be notified if a large number of files are deleted. For OneDrive, if a large number of files are deleted from a person's OneDrive, that person - the *owner* - will be sent an email notification letting them know about it and pointing them to the Recycle Bin in case they want to restore. For SharePoint team sites, if a large number of files are deleted, the *person that deleted them* (site owner or member) will be sent an email notification letting them know about it and pointing them to the Recycle Bin in case they want to restore. Each email notification will include an unsubscribe link at the bottom for those that wish to opt out of this type of notification.
I'd like an admin to be notified of a large number of sharepoint file deletions, not the disgruntled employee that is whacking a bunch of stuff.