Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search command to track file deletion in Windows?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to generate a search command to track file deletions by user.The current command that I have is:
host="myhost" (EventCode=564) | join Handle_ID [search EventCode=560] | stats values(Object_Name) by user
In this command,myhost refers to the windows file server where users have access to sensitive files.I want to capture event 564 as it indicates a file deletion,but will also require to capture its corresponding event 560 as it contains the file name that are deleted.(From my understanding,a file deletion on Windows will generate a event 560,564 and is tied by their same handle ID)
The results should display 2 columns, ie.the user & the files that they've deleted.For eg.
user values(Object_Name)
------------------------------------------------------------------
1 userA C:\02 Department\Main\~$2010_Department.doc
2 userE C:\Program Files\Dept\2010\Report2010.xls
3 userJ D:\Shared\Product\8AABCE.tmp
D:\Shared\Product\~$TK Product Dec.xls
However,the result does not seem right when I did a check.
For eg. running the search command above generates userJ with 2 files deleted.But when I run another search to check:
host="myhost" EventCode="564" user="userJ"
which should produce the number of file deletions by userJ.However then,it shows 5 file deletion events instead of 2.
Any idea on the search command?
Splunk version: 4.1.5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems to work with this search command using transaction instead:
host="myhost" EventCode=564 OR EventCode=560 | transaction Handle_ID startswith=(EventCode=560) endswith=(EventCode=564) | stats values(Object_Name) AS Object by User
If anyone has a confirm solution to identifying object deletion events in windows please advise further.Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems to work with this search command using transaction instead:
host="myhost" EventCode=564 OR EventCode=560 | transaction Handle_ID startswith=(EventCode=560) endswith=(EventCode=564) | stats values(Object_Name) AS Object by User
If anyone has a confirm solution to identifying object deletion events in windows please advise further.Thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
