How to Detect Who Deleted a File on Your SharePoint

Native Auditing vs. Netwrix Auditor for SharePoint
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for SharePoint
Native Auditing
Netwrix Auditor for SharePoint
Steps
  1. Navigate to "Site Settings" → Click "Site Collection Administration" → Go to "Site collection features".
  2. Choose "Reporting" → Click "Activate".
  3. Navigate to "Site Settings" → Click "Site Collection Administration" → Go to "Site collection audit settings".
  4. Tick "Deleting or restoring items" → Click "OK".
  5. Navigate to "Site Settings" → Click "Site Collection Administration" → Go to "Audit log reports" → Select "Deletions".
  6. Open the generated report in MS Excel.
Detection who deleted file on SharePoint - native Adit log report
  1. Run Netwrix Auditor → Navigate to "Search" → Click on "Advanced mode" if not selected → Set up the following filters:
    • Filter = "Data source"
      Operator = "Equals"
      Value = "SharePoint"
    • Filter = "Object type"
      Operator = "Equals"
      Value = "Document"
    • Filter = "Action"
      Operator = "Equals"
      Value = "Removed"
  2. Click the "Search" button and review who deleted documents on your SharePoint.
Detection who deleted file on SharePoint - Netwrix Auditor Interactive Search
Learn more about Netwrix Auditor for SharePoint

Quickly Determine Who Deleted Files on a SharePoint Site so You Can Respond Appropriately to Unsanctioned Actions and Attacks

Inappropriate deletion of files from your SharePoint site performed either by outsiders or internal users can lead to data loss. Therefore, it’s critical to identify the name of the account that was used, and investigate whether an internal user deleted the file, or whether the user account was taken over by a hacker or malware. With that information, you can respond appropriately — for instance, by limiting the user’s access to sensitive data stored on SharePoint, or stopping malware activity in a timely manner.

Netwrix Auditor for SharePoint delivers complete visibility by providing valuable information on all read access events and changes, including who deleted files, across your entire SharePoint environment. IT administrators can use the Interactive Search feature to quickly generate an easy-to-read custom report on particular changes and save it for later use. They can also review the predefined All SharePoint Activity report, and receive a notification via email every time a file is deleted by using the subscription option with a predefined report.

Related How-tos
How to Detect File Changes in a Shared Folder How to Detect Who Changed a File or Folder Owner How to Detect SharePoint Permission Changes How to Export Active Directory Objects to CSV How to Track Who Deleted a File from Your Windows File Servers How to Export Folder Permissions to Excel or CSV File