“Where did my file go?” With File System Activity in place for StealthAUDIT, this question can be answered easily within the Access Information Center.
Not only can we identify what happened to the file, we can sometimes even show you where it ended up. The options menu while viewing an Activity Details Report in the AIC has a Target Path checkbox that, when enabled, can show moves and renames:
*Due to monitoring limitations this can only be seen when the move is to a location on the same host.
If someone has a suspected drag-and-drop file loss within the same host, now you can simply search for the filename within the drop-down search feature:
These drop-down searches are available throughout most of the AIC’s data views, not just for activity as shown here. This way your searching is not limited merely to Resource Views – you can also search by a user’s activity as well.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.