Protecting Incident Files from Deletion

The system automatically protects events and files related to open incidents from deletion. This feature ensures that critical data is preserved for potential investigations.

Note

The protection only applies to data linked to open incidents. You can freely delete data from closed incidents.

If an administrator attempts to delete an event or file associated with an open incident, they will see the following message: The event is related to incident N XXXX. Deletion is not permitted. Please close the incident or disable protection in the settings.

How to Enable or Disable File Protection

By default, file protection is enabled. To disable it, add the following line to /etc/staffcop/config:

PROTECT_EVENTS_WITH_INCIDENTS = False

What File Protection Blocks

  • Deleting a monthly database shard

  • Manually deleting an event via the web console

  • Automatically cleaning events or files related to policies

  • Deleting an object along with associated computer and user data

  • Deleting events and files with the command staffcop cleandata

  • Deleting events and files with command staffcop cleanup

How to Delete an Event or File

To delete an event or file, choose one of the following options:

  • Close the incident

  • Delete the incident

  • Disable protection via the config file