Delay in File Content Inspection Discovery

%3CLINGO-SUB%20id%3D%22lingo-sub-2057692%22%20slang%3D%22en-US%22%3EDelay%20in%20File%20Content%20Inspection%20Discovery%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2057692%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20setup%20a%20File%20Policy%20inside%20MCAS%20that%20uses%20the%20Data%20Classification%20Service%20Inspection%20Method%20to%20look%20for%20files%20that%20contain%20things%20like%20SSN%2C%20CCN%2C%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20setup%20the%20filter%20to%20only%20target%20a%20couple%20of%20folders%20for%20now%20while%20I%20test.%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20first%20enabled%20this%20policy%2C%20it%20was%20able%20to%20accurately%20detect%20the%20existing%20files%20with%20the%20data%20I%20was%20looking%20for.%20However%2C%20I've%20since%20added%20new%20files%20to%20the%20folder%20with%20the%20same%20sensitive%20data%20and%20also%20modified%20files%20to%20add%20sensitive%20data%20to%20verify%20that%20these%20are%20also%20identified%20in%20MCAS.%20I%20found%20that%20the%20new%20files%20are%20actually%20not%20being%20picked%20up%20at%20all%20in%20MCAS.%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20just%20search%20inside%20of%20%22Files%22%20under%20%22Investigate%22%20I%20don't%20see%20my%20new%20or%20modified%20files.%20I%20verified%20that%20the%20O365%20connector%20is%20still%20active%20and%20that%20new%20events%20are%20coming%20through%20on%20most%20files.%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20just%20seems%20like%20there%20is%20a%20delay%20in%20when%20new%20or%20modified%20files%20are%20available%20in%20MCAS.%20I've%20waited%202%20days%2C%20but%20the%20files%20still%20do%20not%20show.%26nbsp%3B%3C%2FP%3E%3CP%3EInterestingly%2C%20I%20can%20see%20these%20files%20being%20logged%20when%20I%20used%20the%20O365%20Compliance%20Center%20Content%20Explorer%20feature%2C%20which%20allows%20me%20to%20search%20for%20any%20sensitive%20data.%20So%20it%20pulls%20in%20the%20admin%20center%2C%20but%20not%20in%20MCAS.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20normal%20behavior%20to%20have%20a%20couple%20of%20days%20delay%20in%20new%20or%20modified%20files%20being%20registered%20in%20MCAS%3F%20Is%20there%20any%20way%20to%20improve%20this%3F%20I%20fear%20that%20with%20this%20long%20of%20a%20delay%2C%20malicious%20actions%20could%20be%20taken%20on%20a%20file%20that%20I%20would%20have%20no%20insight%20on%20in%20MCAS.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2057692%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2098877%22%20slang%3D%22en-US%22%3ERe%3A%20Delay%20in%20File%20Content%20Inspection%20Discovery%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098877%22%20slang%3D%22en-US%22%3EA%20usual%20delay%20of%20couple%20minutes%20is%20expected%20but%20if%20your%20files%20are%20not%20being%20scanned%20for%20more%20than%208%20hours%20then%20you%20need%20to%20worry..%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20far%20as%20i%20know%20this%20is%20a%20product%20issue%20at%20the%20moment.%20Microsoft%20identifies%20a%20new%20driver%20user%20only%20when%20the%20user%20uploads%20a%20file%20to%20OD%20or%20SP.%20And%20it%20uses%20graph%20api%20for%20that.%20Sometime%20when%20SP%20or%20OD%20are%20overwhelmed%20with%20api%20request%20the%20server%20will%20respond%20with%20429%20error%20and%20Mcas%20will%20be%20failed%20to%20scan%20the%20content%20or%20drive..%20In%20that%20case%20it%20will%20miss%20this%20new%20drive..%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20reach%20out%20to%20MS%20support%20for%20this%20issue.%3C%2FLINGO-BODY%3E
Senior Member

I've setup a File Policy inside MCAS that uses the Data Classification Service Inspection Method to look for files that contain things like SSN, CCN, etc. 

I've setup the filter to only target a couple of folders for now while I test. 

When I first enabled this policy, it was able to accurately detect the existing files with the data I was looking for. However, I've since added new files to the folder with the same sensitive data and also modified files to add sensitive data to verify that these are also identified in MCAS. I found that the new files are actually not being picked up at all in MCAS. 

When I just search inside of "Files" under "Investigate" I don't see my new or modified files. I verified that the O365 connector is still active and that new events are coming through on most files. 

It just seems like there is a delay in when new or modified files are available in MCAS. I've waited 2 days, but the files still do not show. 

Interestingly, I can see these files being logged when I used the O365 Compliance Center Content Explorer feature, which allows me to search for any sensitive data. So it pulls in the admin center, but not in MCAS. 

Is it normal behavior to have a couple of days delay in new or modified files being registered in MCAS? Is there any way to improve this? I fear that with this long of a delay, malicious actions could be taken on a file that I would have no insight on in MCAS. 

1 Reply
A usual delay of couple minutes is expected but if your files are not being scanned for more than 8 hours then you need to worry..


As far as i know this is a product issue at the moment. Microsoft identifies a new driver user only when the user uploads a file to OD or SP. And it uses graph api for that. Sometime when SP or OD are overwhelmed with api request the server will respond with 429 error and Mcas will be failed to scan the content or drive.. In that case it will miss this new drive..

You should reach out to MS support for this issue.
www.000webhost.com