File operations: Delete/Move/Rename¶
An endpoint agent of StaffCop Enterprise has full functionality to track and intercept any file operations that occur on a user workstation or terminal server.
File interception is performed in accordance with the rules specified in the computer configuration.
A computer configuration can be assigned to all agents or to certain groups of computers/workstations.
The most frequent file operations that a security officer should pay attention to are the operations of Deletions/Moving/Renaming files.
All these events can be tracked by selecting “File -> File operation” in “Dimension panel”.
To get detailed reports on events of interest only (for example, “Delete”), select this operation. As a result, we get a list of all operations with files that have been deleted.
There is a possibility of getting detailed information by selecting “Analysis” in the display menu. In this case, you must add “Account -> User Name” in the dimension filter, then “Application -> Executable”.
In “Lens”, you can view the resulted information in a most convenient visualization form. For example, choose “Tree” with the following filters filters:
File operation -> Delete
tree branch “Account -> User name”
sub-branch “Application -> Executable”
The tree view is handy for data visualization and you can also print the data in the PDF format (click “Print” in the top part of the administrating menu).
Then click the button “Export and printing” to get the whole facts list for export and analysis - you will be able to print the received information (e.g. in PDF) for further analysis.