Deletion of a file from your SharePoint site either by internal users or outsiders can result in the loss of sensitive data. It is therefore essential to be able to monitor the deletion of files and have the ability to identify the name of the account that was used. Using this information, it should be a straightforward process to investigate whether the file was deleted by an internal user, or whether the user account was taken over by a hacker. Once investigated, an appropriate response can be taken. For example, it may be necessary to limit the user’s access to sensitive data stored on SharePoint or put an immediate stop to any suspicious activity.
In this guide, we will look at two methods for detecting who deleted a file on your SharePoint: using the native method and a more straightforward approach using the Lepide Auditor for SharePoint.
Using the Native Method
Check File Deletion on SharePoint Online
Please follow below steps:
- Navigate to Microsoft Purview at https://compliance.microsoft.com/
- Choose Audit, apply filters as required and click Search
- The query will be generated
- Click on the search name in the list to view the data. From here you can add further filters and download the search results
Here is an example of a generated query:
Check File Deletion on SharePoint Server
Please follow below steps:
- Navigate to Site Settings -> Site Collection Administration -> Site collection features
- Choose Reporting -> Activate
- Navigate to Site Settings -> Site Collection Administration -> Site collection audit settings
- Check Deleting or restoring items -> click OK
- Navigate to Site Settings -> Site Collection Administration
- Go to Audit log reports, select Deletions
- Open the generated report in MS Excel
How Lepide Auditor Helps
A more straightforward way to report on deleted files on SharePoint is to use the Lepide Auditor for SharePoint. Here you can run the Document Deleted report to see all documents which have been deleted over a specified time period.
Here is an example of the Document Deleted Report:
The report includes information about the File Name, Location, Who deleted it, When it was deleted, What was deleted and from Where.
To run the report:
- From the States & Behavior screen, select SharePoint Online Modification Reports, Document Deleted
- Specify a date range and click Generate Report
- The report can be grouped, sorted, filtered, exported, and saved
Here is an example of the Document Deleted Report for SharePoint On Premise/Server:
The report includes information about the Document Name, Document Location, Who deleted it, When it was deleted, What was deleted and from Where.
To run the report:
- From the States & Behavior screen, select Document Reports, Document Deleted
- Specify a date range and click Generate Report
- The report can be grouped, sorted, filtered, exported, and saved
