Azure Netapp files - who deleted folder ?

Question

We have a folder that keeps being deleted in a share on azure netapp storage. Is there any way to audit or find out who is deleting this folder ?

Answer 1

@JoeShmo1900, Welcome to Microsoft Q&A Forum, Thank yo for posting your query here!

Adding more information to the above repones!

• You can check in Azure portal--> storage account--> Activity log.

I would recommened to check the OS logs, if they are not properly enabled to capture the activity then they need to check with their OS admin.

Note: If the issue still persist, I would recommened to contact Azure Support to find the more detailed information of your scenario (This may require a deeper investigation,)

Azure NetApp Files does not have a built-in feature to directly audit or track who deleted a folder. However, you can utilize soft delete for the file share to protect against accidental deletion. Soft delete retains the file share's contents and recovery points (snapshots) for a minimum of 14 additional days, which allows for the recovery of file shares without data loss.

Additionally, Azure Backup can be used to back up your Azure file share via share snapshots. These snapshots are read-only, point-in-time copies of your share and are incremental, capturing only the data that has changed since the previous snapshot. You can have up to 200 snapshots per file share and retain them for up to 10 years. Azure Backup also offers monitoring and alerting capabilities that provide a consolidated view of your backup estate.

• Accidental delete protection for Azure file shares using Azure Backup
• Planning for an Azure Files deployment - Data protection
• Manage Azure File share backups - Delete backup data

Additional information: Deletion of an Azure NetApp Files volume is performed programmatically with immediate effect. The delete operation includes deleting keys used for encrypting data at rest. There is no option for any scenario to recover a deleted volume once the delete operation is executed successfully (via interfaces such as the Azure portal and the API.)

Additional information: Find who delete files and folders

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hello JoeShmo1900,

Thank you for posting your query here!

To audit folder deletions in Azure NetApp Files, you can utilize Azure Monitor. Please follow the below steps:

· Access the Azure portal using your Azure Active Directory (AAD) credentials and locate and select the Azure NetApp Files service in the Azure portal.

· Within your Azure NetApp Files account, navigate to the capacity pool and volume containing the share you want to audit. Under the Settings section, select "Diagnostic settings" and add a new diagnostic setting.

· Choose the types of logs you want to collect, specifically ANFVolume and ANFShare logs.

· Specify a Log Analytics workspace where the logs will be stored. If needed, you can create a new workspace for this purpose.

Once this is done, you can query the AzureDiagnostics logs in your Log Analytics workspace. Here's a sample KQL query that you can use:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETAPP/AZURENETAPPFILES"
| where Category == "ANFShare"
| where OperationName == "Microsoft.NetApp/azureNetAppFiles/shares/delete"
| where ShareName_s == "<YourShareName>"
| where FolderPath_s == "<YourFolderPath>"
| project TimeGenerated, Caller, ShareName_s, FolderPath_s, OperationName, ResultType, ResultDescription

Further details: https://learn.microsoft.com/en-us/azure/azure-netapp-files/monitor-azure-netapp-files

I hope this helps! Please let me know if the issue persists or if you have any other questions.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.