https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414827#M167108 <P>Hi Adonio,</P> <P>Can you paste the complete query here</P> Thu, 11 Oct 2018 16:18:45 GMT mailmetoramu 2018-10-11T16:18:45Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414818#M167099 <P>Hi All,</P> <P>Actually in one of my server, some files has been deleted from the file path C\Windows\Systems32\drivers\etc\hosts.</P> <P>Under the hosts, the file has been completely deleted by someone, need to investigate on that.</P> <P>Can anyone tell me exact query i need to type in search head to fetch the logs from splunk from this particular directory.</P> <P>Thanks,</P> <P>Ramu.R</P> Thu, 11 Oct 2018 14:40:01 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414818#M167099 mailmetoramu 2018-10-11T14:40:01Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414819#M167100 <P>Can you please try? <CODE>index=* source="C:\\Windows\\Systems32\\drivers\\etc\\hosts.*"</CODE></P> Thu, 11 Oct 2018 14:53:34 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414819#M167100 ddrillic 2018-10-11T14:53:34Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414820#M167101 <P>are you pulling that data into splunk? <BR /> to find deletions or file modifications, you will have to enable auditing on that particular directory / file<BR /> this is being done on the windows (OS) side. also, you will have to pull and bring windows security event logs to splunk</P> Thu, 11 Oct 2018 15:09:49 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414820#M167101 adonio 2018-10-11T15:09:49Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414821#M167102 <P>If your windows AD data is coming into splunk indexes, then you can identify who has deleted it most probably </P> Thu, 11 Oct 2018 15:25:53 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414821#M167102 iamarkaprabha 2018-10-11T15:25:53Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414822#M167103 <P>i think it will be good to double check, without proper auditing rules enabled on the directory or file prior to deletion, imho widows will not log the file deletion.</P> Thu, 11 Oct 2018 15:31:46 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414822#M167103 adonio 2018-10-11T15:31:46Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414823#M167104 <P>I think it will log those info. The event code for file deletion is 4656 . <BR /> Please refer to the below links for more information.</P> <P><A href="https://www.netwrix.com/how_to_detect_who_deleted_file.html">https://www.netwrix.com/how_to_detect_who_deleted_file.html</A><BR /> <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656</A></P> Thu, 11 Oct 2018 15:52:15 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414823#M167104 iamarkaprabha 2018-10-11T15:52:15Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414824#M167105 <P>Hi ddrillic,</P> <P>Its not working actually, moreover i did not see the host name mentioned in your query.</P> <P>Thanks,</P> <P>Ramu.R</P> Thu, 11 Oct 2018 16:04:18 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414824#M167105 mailmetoramu 2018-10-11T16:04:18Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414825#M167106 <P>All proper rules has been enabled perfectly. Just mention only the required query instead of posting links for articles, i have already gone through 100s of link like these, then only i came here for answer.</P> Thu, 11 Oct 2018 16:07:09 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414825#M167106 mailmetoramu 2018-10-11T16:07:09Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414826#M167107 <P>in that case, look for <CODE>... EventCode=4656 ... &lt;file name&gt; ...</CODE></P> Thu, 11 Oct 2018 16:13:54 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414826#M167107 adonio 2018-10-11T16:13:54Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414827#M167108 <P>Hi Adonio,</P> <P>Can you paste the complete query here</P> Thu, 11 Oct 2018 16:18:45 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414827#M167108 mailmetoramu 2018-10-11T16:18:45Z https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414828#M167109 <P>Hi All,</P> <P>Lets make my question as below : </P> <P>Hostname : abc123</P> <P>File Path : C\Windows\System32\drivers\etc\hosts</P> <P>Under the hosts, the file has been completely deleted by someone. Can anyone tell me exact query for this scenario.</P> <P>Thanks,</P> <P>Ramu.R</P> Fri, 12 Oct 2018 14:34:20 GMT https://community.splunk.com/t5/Splunk-Search/File-Deletion-search-query/m-p/414828#M167109 mailmetoramu 2018-10-12T14:34:20Z