Hello everyone and thanks in advance.
I'm trying to make a search for file deletion but it isn't working.
Do you have any example of a use case? I tested using sysmon but when I delete a file I can't see event 23.
Assuming you are using a Windows OS you could:
1) Enable security auditing for files/folders (this is done within the windows OS, can be enabled via group policy)
2) Use SplunkUniversalForwarder to monitor the Event Log for events 4660 & 4663 (see Splunk: Monitor file system changes on Windows)
Hi @msiri,
at first you have to enable file monitoring on the File Server, but I don't know hot to do it.
Then, you'll have these information in the WinEventLog:Security and you can search it: I don't know the EventCode, but you can ask it to the Windows Administator.
Ciao.
Giuseppe