Office Protect Event - Item deleted from Retention Mechanism

This event triggers when files are deleted manually from retention mechanisms like the recycle bin's recycle bin.


Vandal hacker trying to remove files permanently will delete them from retention mechanism. This almost never happens in regular business operations. This event triggers when items are deleted from SharePoint’s 2nd level recycle bin. 


Remediation


To ensure that no items are permanently lost, we recommend setting up a retention label and a retention policy for SharePoint and OneDrive. That way, non-admins are unable to permanently delete files, and they will be retained and recoverable from user deletion for the time your set in your policy (up to 7 years).


Unfortunately, if there are no retention policies in place, there is no way for you to recover files that have been deleted from the retention mechanism.


Microsoft Documentation on how to set up a retention policy: https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide