Solved: Use case to track the file deletion from windows f...

msplunk33 · ‎08-04-2021

I need to setup an alert to track when ever someone delete any file from a shareholder from windows 2016 file server. I need to know which log need to ingest to Splunk for setting up this alert. If you have the splunk query for this that will be help full.

manjunathmeti · ‎08-04-2021

Hi @msplunk33,
Follow this link to setup auditing windows files deletion: https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html

Then forward the Windows Security event logs (with event ID 4663) to Splunk using [WinEventLog://Security] monitor. Check this answer for doing this: https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-collect-basic-Windows-OS-Event-Log-dat...

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-04-2021

Hi @msplunk33,
Follow this link to setup auditing windows files deletion: https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html

Then forward the Windows Security event logs (with event ID 4663) to Splunk using [WinEventLog://Security] monitor. Check this answer for doing this: https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-collect-basic-Windows-OS-Event-Log-dat...

If this reply helps you, a like would be appreciated.

jotne · ‎08-04-2021

This search may give you some:

source="WinEventLog:Security" sourcetype=WinEventLog EventCode=4656 Accesses=DELETE Object_Type=File

Use case to track the file deletion from windows files hare

alert condition

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!