File operations: Delete/Move/Rename

An endpoint agent of StaffCop Enterprise has full functionality to track and intercept any file operations that occur on a user workstation or terminal server.

File interception is performed with accordance to the rules specified in the computer configuration.

A computer configuration can be assigned to all agents or to certain groups of computers/workstations.

The most frequent file operations that a security officer should pay attention to are the operations of Deletions/Moving/Renaming files.

All these events can be tracked by selecting “File -> File operation” in “Dimension panel”.

../_images/cases_31.png

To get detailed reports on events of interest only (for example, “Delete”), select this operation. As a result, we get a list of all operations with files that have been deleted.

../_images/cases_32.png

There is a possibility of getting detailed information by selecting “Analysis” in the display menu. In this case, you must add “Account -> User Name” in the dimension filter, then “Application -> Executable”.

../_images/cases_33.png

In “Lens”, you can view the resulted information in a most convenient visualization form. For example, choose “Tree” with the following filters filters:

  • File operations
  • File operation -> Delete
  • tree branch “Account -> User name”
  • sub-branch “Application -> Executable”

The tree view is handy for data visualization.

../_images/cases_34.png

Then you can click the “Export and printing” button and choose the most convenient way of exporting files to have the results downloaded or printed.