There are many data-related activities you can monitor with Purview’s Insider Risk Management feature to help manage and protect against insider risks. This post is not a deep-dive on that feature as Microsoft has done this already… Learn about Insider Risk Management. Instead, this post demonstrates one specific Insider Risk Management feature called Adaptive Protection and how it is used to protect against deleted content.
Whether content is deleted by a malicious user, a compromised user or thru sheer end-user neglect, it can be disastrous for organizations if gone undetected. You may be thinking there are other controls in place to protect against this and you are right, but none of them are as targeted, dynamic, and purpose-built as the Adaptive Protection feature integrated with Data Lifecycle Management. This is definitely a “better together” story.
For instance, you may be thinking…
“Deletion activities are audited so we will know it happened!” You are correct; however, unless someone (or a script) is proactively looking for those specific deletion activities, they may go unnoticed amidst other activities (including legitimate deletion activity) in the (very busy) unified audit log of Microsoft 365.
“There’s a recycle bin in SharePoint/OneDrive to preserve the deleted content!” True; however, with the right permissions, a user can also delete content from both the first and second stage recycle bins. If this is a malicious/compromised user, this is a likely scenario. Content remains in the recycle bins for only 93 days… unless you’re aware of the deletion prior to that, the content will be permanently deleted and unrecoverable.
“We have retention labels applied to content so we don’t have to worry about this!” Although this is a good control, you still may have to protect against deletion. Whether or not a user can delete a file with a retention label applied depends on these factors:
- The Records management setting for deleting labeled content configured in Purview:
- a tenant-wide setting for Records management (image) will either disallow/allow users to delete content with a retention label applied. If this setting is set to disallow, the file cannot be deleted without first removing the retention label. If this setting is set to allow, a user can delete the file, but it will be preserved in the Preservation Hold Library (for deleted items in SharePoint and OneDrive) and Recoverable Items folder (for deleted items in Exchange) for the remaining duration of the retention label. Setting this to allow will protect against deleted content in SharePoint and OneDrive if you have retention labels applied to content there.
- The type of retention label applied to content and the user’s permission level.
- Any user with at least contribute permission can remove a non-record retention label from a file which will then allow them to delete it
- A record retention label applied to a file will require site collection admin permission (this includes site and team owners) to remove the label first which will then allow them to delete it
“We have retention policies in place so we don’t have to worry about this!” This will definitely mitigate the risk of deleted content so kudos to you!! If you have a retention policy in effect, a malicious user could delete content including from the first and second stage recycle bins, but deleted content would be preserved in the Preservation Hold Library (for deleted items in SharePoint and OneDrive) and Recoverable Items folder (for deleted items in Exchange) for the remaining duration of the retention policy. This is an excellent mitigating control; however, it is really only effective if it is applied to all SharePoint sites and OneDrive sites since you don’t know in advance where malicious deletions may occur. Remember, a retention policy does have other implications if applied to all SharePoint sites and OneDrive sites (storage quotas, deleted users, etc.) which you must consider if you have chosen to do this.
What’s a better alternative?
Purview Adaptive Protection is a better alternative to mitigate the risk of malicious deletes because it is user risk based and dynamically adjusts. I’ll discuss this purpose-built feature in the remainder of this post.
This feature integrates Data Lifecycle Management with the Insider Risk Management solution to proactively preserve content deleted from SharePoint, OneDrive, and Exchange by an elevated risk user. (As of the time of this writing, this feature is in Public Preview).
Here’s how the feature looks end-to-end…
Microsoft documentation: Dynamically mitigate the risk of accidental or malicious deletes
In Purview, once Adaptive Protection is enabled for your tenant in Insider Risk Management, you can enable Adaptive Protection for Data Lifecycle Management:
That’s it! No other configuration is required inside Data Lifecycle Management. Based on the conditions you have defined in your Insider Risk Management solution for what defines an elevated risk user for your organization (image), once a user’s risk level becomes Elevated, any content they delete from SharePoint, OneDrive, or Exchange will be automatically preserved in the same way it is done for other Purview features such as retention policies, record label versions, eDiscovery holds, etc.
What happens behind the scenes?
If a user’s risk level becomes elevated based on the conditions you’ve defined in Adaptive Protection (like John Brown in this tenant), the user is dynamically added to a Data Lifecycle Management auto-labeling policy so any content they delete from SharePoint, OneDrive, and Exchange is automatically preserved.
SharePoint/OneDrive – in the (hidden) Preservation Hold Library (PHL), a copy of the deleted document is preserved by Purview in a folder called Protected with a retention label applied. The retention label (named Protecting data from malicious deletes) is automatically created for you and, in fact, you can’t see the label nor the label policy in Purview Data Lifecycle Management.
Exchange – in the (hidden) Recoverable Items Folder (RIF), a copy of any deleted email is preserved with the retention label, Protecting data from malicious deletes, applied. You can detect these by searching in John’s mailbox for all content and then filtering for the retention label. I was unable to get the search by the retention label to return these items so I returned all items in John’s mailbox first and then filtered on the retention label in the eDiscovery Premium review set (image):
The detailed email results show the retention label has been applied:
Preserved for 120 days
As of the time of this writing, items with this label will remain in the PHL/RIF for 120 days before becoming eligible for permanent deletion. This provides you 120 days to restore any files you require. (I believe Microsoft support is currently required to restore any content preserved with this label)
As with other Purview features that preserve content in these hidden locations, the content is discoverable by search and eDiscovery.
Monitor for these new audit activities!
New audit activities are also generated for these deletion activities, which are great candidates for proactive monitoring so you can follow up on these activities and get the content restored (perhaps elsewhere). This is a more targeted activity to monitor for rather than the regular delete activity:
- For SharePoint and OneDrive, audit activity: Retained file proactively
- For Exchange, audit activity: Retained email item proactively
Intentional or not, I’ve discovered you can use the Policy lookup feature in Purview to see this automatically created label policy, Proactive data retention for risky users (please know, there is no configuration you can do on this policy nor is any required!):
Closing thoughts
This is a great capability that is simple to enable with a tremendously helpful impact. I hope you found my end-to-end walk-thru helpful.
Thanks for reading.
-JCK