Scenario: Someone decided to reorganize project data and now you can't find the folder you were working in.  The reorganizer doesn't remember where he or she moved the file or folder, and may have even renamed it to fit into a better naming scheme.  What can the Administrator do?


For this example, let's say the missing folder is named "find_this_folder" which was later renamed to "find_this_folder_renamed".


Step 1 - Go to the Events page in Morro Audit.



Click CREATE TRACE.



Step 2 - Enter the known information and create an event trace.



Since we have very little information to go on, it may be best to make the event stream as general as possible at the expense of creating a very large event stream.  At minimum, a time period of up to 31 days is required, so take your best guess at when the reorganization happened and enter the time range in the Since and Until fields.  You may also select a period in the Period dropdown.


If you believe the reorganization happened within the same share, you may restrict the event stream by share using the "Events by Share" dropdown.  You can also use the "Events by Gateway" and "Events by User" dropdowns if you have that information.


For this example, we will assume we know very little and will only use the time period restriction.


Click GET PREVIEW/STATISTICS and then click CREATE EVENT STREAM once the restrictions are set.



Step 3 - Create the event stream and final filter.



After creating the event stream, we can apply a final filter.  Since we're looking for a folder named "find_this_folder", we can enter this in the "Search by Path Suffix" field.  To see all events on this folder, enable "All Events" checkboxe. 

Finally, click SEARCH to see all of the filtered events.



Step 4 - View the results.



Here we can see that "find_this_folder" was moved into "subfolder" on 7/6/23 at 10:07 UTC.



Other Scenarios


Using Search by Path Prefix (Parent Folder)


But we can see that "find_this_folder" was renamed again at 10:08:12 UTC without any indication of the new name, what can we do?


If we go back to step 3 and remove "find_this_folder" from "Search by Path Suffix", then add "subfolder" in the "Search by Path Prefix", we can see the rename if the folder was not moved:




Using Timestamps


If the folder may have been moved to a different parent folder, another option is to go back to step 3 and remove all filename-based filters, then check based on the timestamp.  From the first screenshot in step 4, we see that the second rename happened on 7/6/23 @ 10:08:12, so if we get the event stream without name restrictions and sort the results by Date/Time, we can get the corresponding RENAME_DST event: