Scenario: The Administrator comes into the office one morning and everyone is in a panic. Someone, either by accident or maliciously, deleted the folder containing a project that is to be presented to an important client later this afternoon. Because of Morro's versioning feature, the folder can easily be restored, but no one is willing to admit they were at fault. What can the Administrator do?
Let's say that the folder is named "deleteme", was in the "audit-test0" share, and was removed sometime in the last couple of days.
Step 1 - Go to the Events page in Morro Audit.
Step 2 - Enter the known information and create an event stream.
Since we know the folder was deleted in the last couple of days, we can set the Since and Until fields to cover this period of time. As a shortcut, we can select Last 2 Days or Last 3 Days in the Period field.
We don't know who deleted it or from which gateway, so we can leave the default values in those fields. The share containing the folder can be selected to reduce the amount of data that needs to be processed.
Once these settings are configured, we can see that there are 3805 events that meet the criteria. The event chart shows when these events occurred, with darker squares signifying a larger number of events in that period.
Step 3 - Create the event stream and final filter.
Now that the event stream has been created, we can create a final filter before seeing the results.
Since we're trying to find out who deleted the folder, we can unset all of the Includes except "Includes Delete".
There are three types of path filtering:
- Search by Path Prefix - Path starts with this value.
- Search by Path Suffix - Path ends with this value.
- Search by Path Containing - Path contains this value.
We know that the name of the folder is "deleteme", so we can add that to the "Search by Path Suffix" field.
The final settings can be seen in the screenshot below:
Step 4 - View the results.
Click Show Details to see the results. Enable fields as necessary to see the required information.
Here we see that deleteme was deleted:
- on 6/30/2021 at 21:18:05 UTC
- by user dltest1
- on gateway dl-lab-laptop-0
- from a client with IP address 10.0.0.180