This is the search I'm running to monitor for delete attempts:
index=_audit sourcetype=audittrail "|" "delete" NOT "search='search index=_audit"
I'm searching the index of _audit and the sourcetype of auditrail for | and delete. Then so that my searches for delete activity do not generate alerts, I exclude searches of searches that include delete.
... View more