topic How to achieve a search to detect a file deletion in fileserver? in Alerting https://community.splunk.com/t5/Alerting/How-to-achieve-a-search-to-detect-a-file-deletion-in-fileserver/m-p/625996#M14621 <P>Hello everyone and thanks in advance.</P> <P>I'm trying to make a search for file deletion but it isn't working.</P> <P>Do you have any example of a use case? I tested using sysmon but when I delete a file I can't see event 23.</P> Thu, 05 Jan 2023 17:37:14 GMT msiri 2023-01-05T17:37:14Z How to achieve a search to detect a file deletion in fileserver? https://community.splunk.com/t5/Alerting/How-to-achieve-a-search-to-detect-a-file-deletion-in-fileserver/m-p/625996#M14621 <P>Hello everyone and thanks in advance.</P> <P>I'm trying to make a search for file deletion but it isn't working.</P> <P>Do you have any example of a use case? I tested using sysmon but when I delete a file I can't see event 23.</P> Thu, 05 Jan 2023 17:37:14 GMT https://community.splunk.com/t5/Alerting/How-to-achieve-a-search-to-detect-a-file-deletion-in-fileserver/m-p/625996#M14621 msiri 2023-01-05T17:37:14Z Re: detect a file deletion in fileserver https://community.splunk.com/t5/Alerting/How-to-achieve-a-search-to-detect-a-file-deletion-in-fileserver/m-p/626000#M14622 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248881">@msiri</a>,</P><P>at first you have to enable file monitoring on the File Server, but I don't know hot to do it.</P><P>Then, you'll have these information in the WinEventLog:Security&nbsp; and you can search it: I don't know the EventCode, but you can ask it to the Windows Administator.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 05 Jan 2023 13:32:06 GMT https://community.splunk.com/t5/Alerting/How-to-achieve-a-search-to-detect-a-file-deletion-in-fileserver/m-p/626000#M14622 gcusello 2023-01-05T13:32:06Z Re: detect a file deletion in fileserver https://community.splunk.com/t5/Alerting/How-to-achieve-a-search-to-detect-a-file-deletion-in-fileserver/m-p/626004#M14623 <P><FONT size="3">Assuming you are using a Windows OS you could:</FONT></P><P><FONT size="3">1) Enable security auditing for files/folders (this is done within the windows OS, can be enabled via group policy)</FONT><BR /><FONT size="3">2) Use SplunkUniversalForwarder to monitor the Event Log for events 4660 &amp; 4663 (see Splunk:<A title="Monitor file system changes on Windows" href="https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorfilesystemchangesonWindows" target="_self">&nbsp;</A></FONT><FONT size="3"><SPAN class=""><A title="Monitor file system changes on Windows" href="https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorfilesystemchangesonWindows" target="_self">Monitor file system changes on Windows</A>)</SPAN></FONT></P> Thu, 05 Jan 2023 13:56:46 GMT https://community.splunk.com/t5/Alerting/How-to-achieve-a-search-to-detect-a-file-deletion-in-fileserver/m-p/626004#M14623 BryantRivera 2023-01-05T13:56:46Z