Forensic Analysis
Conduct forensic investigations.
The Forensic Analysis page is an investigation hub that provides direct access to three forensic data tools: Audit Activity, File Access by User, and Configuration Changes. Use this page when you need to investigate a security incident, conduct an access review, or gather evidence for compliance. Keep in mind this feature set is made available via the Activity Monitoring feature set configured during Account Linkage.
Available Tools
We offer three tools to assist with forensic analysis: Audit Activity, File Access by User, and Configuration Changes. This feature set is available when Activity Monitoring
Audit Activity
Raw CloudTrail event logs with complete API call records. Search by user, event type, resource, and time range.
Audit Activity
File Access by User
Detailed S3 access logs showing exactly which files each user or principal accessed, and what they did.
File Access by User
Configuration Changes
Complete history of configuration changes to your cloud resources, with before-and-after snapshots.
Configuration Changes
Recommended Investigation Workflow
When investigating a potential incident:
Start with Audit Activity to get a timeline of API calls and identify the account or user involved.
Move to File Access by User to determine if any sensitive files were accessed or exfiltrated.
Check Configuration Changes to see if the attacker made any changes to your infrastructure (e.g. disabling logging, modifying IAM policies, opening public access).
Cross-reference findings with Suspected Attacks to see if DataDefender has already correlated the events into an attack chain.
Audit Activity
The Audit Activity tool lets you search and query your AWS CloudTrail and S3 Server Access Logs. Use it to find out who did what, when, and on which resources.
Search Filters
Build a query before fetching results. Click the Search Filters header to expand or collapse the panel.
Filter conditions — Add one or more conditions to narrow results:
Attribute
The event property to filter on (e.g. Identity, Event Name, Resource)
Operator
How to match: Equals, Contains, or Does Not Contain
Value
The value to match against
Click + Add Condition to add another row. Click × to remove a condition.
Date range: Choose a preset (Last 24 hours, Last 7 days, Last 30 days) or select a custom start and end date.
Click Search to run the query. Click Reset to clear all conditions.
Tips
Start with a narrow date range if you know roughly when an event occurred — it returns results faster.
Filter Event Name = GetObject with a specific Identity to trace which files a user downloaded.
Filter Status = Failed to find unauthorized access attempts or permission errors.
Export to CSV options are available after a query is built.
File Access by User
The File Access by User tool provides granular S3 access logs showing exactly which files each user or service principal accessed, when they accessed them, and what they did.
Search Filters
Identity
The AWS user, role, or service that performed the access
Resource
The S3 bucket to search within
Path
(Optional) A specific file path or prefix to filter to
Date Range
The time window to search, in UTC
Select your criteria and click Search to load results.
Access Activity Grid
Each row represents one file access event.
Date / Time
When the access occurred
Account ID
AWS Account ID
User
The identity that performed the access
Action
The action performed: GET (download), PUT (upload), DELETE (delete)
Resource Name
The resource container that was accessed
Object Path
The full path to the file within the bucket
Source IP
The IP address the request came from
Resource Type
The actual object type that was accessed
Event Name
Operation performed
Tips
Search by a specific user to see everything they accessed during a given time window.
Look for high-volume GET requests on a bucket as a sign of bulk data exfiltration.
A large number of DELETE operations may indicate data destruction.
Cross-reference the Source IP with known company IP ranges to identify access from unexpected locations.
Configuration Changes
The Configuration Changes tool is a daily audit log that tracks every resource added, deleted, or modified across your storage services. It is updated nightly and lets you filter changes by date range and expand any record to see a detailed before-and-after diff of exactly what changed.
Grid Columns
Change Detected (UTC)
When the change was recorded. Supports date range filtering (maximum 31-day range).
Change Type
What happened to the resource: Created, Modified, Deleted, or Baseline
Account ID
The AWS account where the change occurred
Location
The AWS region or location
Resource ID
The identifier of the affected resource
Resource Name
The name of the affected resource
Resource Type
The type of AWS resource (e.g. S3 Bucket, RDS Instance)
All columns support filtering. Set filters (Account ID, Location, Resource Type, Change Type) show selectable values from your environment. Resource ID and Resource Name support text search (contains or equals).
Change Types
Created
A new resource was detected that did not exist before
Modified
An existing resource had one or more configuration properties changed
Deleted
A resource was removed
Baseline
The initial snapshot recorded when DataDefender first discovered the resource
Viewing a Diff
Click the expand arrow on any Modified row to see the detailed property-level diff. Each changed property is shown with its previous value and new value, displayed inline or side-by-side.
Tips
Use Change Type = Modified combined with a narrow date range to investigate what changed on a specific day.
If a security check finding appeared recently, check Configuration Changes for the same resource around the same date to see what was altered.
The Baseline change type is not an alert, it simply marks when DataDefender first recorded a resource's configuration.
Last updated