STEALTHbits ProTip: Where did my file go?: STEALTHbits File Activity Monitor

STEALTHbits ProTip: Where did my file go?: STEALTHbits File Activity Monitor

In the first “Where did my file go?” post, we discussed locating files using StealthAUDIT’s Access Information Center. Now, with the STEALTHbits File Activity Monitor in place, this same question can be answered in real-time directly within the console.

Not only can we identify what happened to a file, we can even show you where it ended up.  First, start a New Activity Search within the STEALTHbits File Activity Monitor by either pressing Ctrl+F or select the magnifying glass located in the top pane of the console:

New Activity Search, STEALTHbits File Activity Monitor, File Activity Monitor

Now, scope the search criteria to include only renames and deletes, a typical activity that results in a lost file/folder. Other parameters can help scope the query for meaningful results as well. Consider including the file/folder name or the known extension type within the File Path field like below:

Scope STEALTHbits File Activity Monitor, Query STEALTHbits File Activity Monitor

We have now scoped our real-time activity search to included typical lost file operations that were .pdf file types. The data view allows you to filter and sort even further once the query is complete.  Here, I’ve scoped our search further to only show rename operations:

Rename Operation, STEALTHbits File Activity Monitor
*Due to monitoring limitations renames can only be seen when the move is to a location on the same host, otherwise, they appear as creates on the target host. This activity typically defaults to a copy when the activity occurs between hosts though, duplicating the data instead of losing the original.

Next time someone in your organization has a suspected drag-and-drop or deletion you can simply search within STEALTHbits File Activity Monitor in real-time, skipping any processing necessary for StealthAUDIT’s in-depth analysis.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.