I recently tweeted about O365Undo, a script that leverages auditing capabilities in Office 365 to resolve issues with ransomware.

From O365Undo to Netwrix Auditor

The script is created by one of my coworkers, Jos Lieben. He describes O365Undo as a great way to roll back the havoc of cryptolocker or other ransomware using Office 365’s native auditing capabilities. I think he’s found a very creative way of using auditing, which isn’t usually associated with being particularly useful to anyone other than auditors themselves, and I had an a-ha moment during a Tech Field Day presentation by Netwrix. Let me explain!

bigstock-businessman-idea-16589585-e1458605666325So Jos is using the Unified Audit Log capability in Office 365 to be able to restore files to a certain, known clean, point in time. This will help cut down time needed to restore after a ransomware attack, but won’t necessarily prevent it. In addition, the feature does more than audit logging itself and uses some kind of previous versions-like approach for actual file restores in Office 365. This covers anything synced to Office 365, too, like Sharepoint Online or any associated OneDrive folders. This won’t work in traditional (on-perm) solutions, obviously. Using a cloud-specific auditing capability isn’t any help in on-prem scenarios, and vice-versa.

(Note that there are many, many fine tools out there to pro-actively protect file servers and other on-prem assets against ransomware using honeypots, as an example here shows, but that’s a subject for another time.)

Fight ransomware with auditing

But, this is a recap of my a-ha moment: auditing software can be exciting! I went and looked at Netwrix’s Auditor product, and they actually seem to be (at least) one step ahead of me, as the What’s New in version 8 document read this little gem:

Prevent ransomware threats. More comprehensive visibility into systems and data allows quicker detection of suspicious activities or anomalous spikes of activities that may originate from ransomware. It also allows users to deconstruct the kill chain and mitigate possible damage.

And this is where Netwrix comes in: as an additional layer of the proverbial onion, providing protection for the on-prem part of an organization. Going on what I saw in the presentation, Auditor helps you do ad-hoc searches of the audit logs, correlating and coalescing data to remove clutter (see Mark May’s explanation on how a single action can trigger dozens of events and numerous pages of associated audit data) and floating up the relevant information as needed. Although I haven’t seen the part of Auditor that helps in preventing ransomware threats in action, I’m convinced of the additional visibility Auditor can give administrators fighting a ransomware attack, as it’s one of the very few auditing solutions that is user friendly.

So Joep, what’s your point?


As the CTO for a IT services company in the outsourcing business, I see a lot of customers under some kind of regulation. We use a boatload of monitoring, auditing and compliance software applications, most of which want me to beat their respective product managers with a blunt tool for ever coming up with these new lows in user friendliness and usability.

Netwrix Auditor is pleasantly different in this respect. I couldn’t describe why for the life of me, but I understand my limitations with the written word well enough to know that a video speaks a thousand words. So go and watch the same presentation I saw during Tech Field Day 11, and see for yourself. I can recommend the demo, of course.

I can see people actually benefitting of having an audit platform when struck with a ransomware attack to be able to mitigate the attack faster (in conjunction with other pro-active means like a honey pot), have better visibility into the reach and impact of the ransomware and finally do a decent decomposition of the path of destruction post-attack. It’s refreshing and valuable for an audit software company that Netwrix sees this value, too.