Forum Discussion
StephanGee
Sep 07, 2023Steel Contributor
Hunt for "Delete specific folder"
Hi,
i have a strange behavior - one some of my servers the Firewall Log folder is gone. It happens to Win2019 server - maybe related to that i accessed the folder - to get the log file and added the admin user to the NTFS table.
But it should not happen - as it seems like a kind of "attack". So i am trying to find out when it happend and which process did this.
I tried to create a folder at my client - and then search the timeline - but nothin appears. Do i need to setup NTFS auditing so that i can hunt for it - or is it just impossible with Defender?
BR
Stephan
6 Replies
Sort By
- jbmartin6Iron Contributoryou said you searched the timeline, did you also check the DeviceFileEvents table?
- jbmartin6Iron ContributorLooking at my org's data, I also don't see every FileDeleted event there, perhaps by default it only reports on specific folders due to event volume concerns. I didn't find anything online about possible limits on data in DeviceFileEvents, though.
- StephanGeeSteel ContributorThats why i thought we might need to turn on auditing.