cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File deletion events - Microsoft Servers

Hi Guys,

I have come across multiple requests for the monitoring of file deletions on critical systems (MS to start with) and network shares.

Following the recommendations as per the MS articles (remote deletion in this case), can anyone make any more recommendations to improve the usefullness in ESM?

MS Link : https://blogs.technet.microsoft.com/askds/2009/08/04/tracking-a-remote-file-deletion-back-to-the-sou...

- Events show in ESM, but only the process that deletes the file is listed, not the filename and location (see below)

- Event in Windows does show the filename and location (in event 4663)

- We have removed aggregation on the events temporarily to see if more information is gathered, but no luck there...

I would love to hear any solutions to the issue. Would also be helpful if there are some correlation work on Remote File Deletion (from shares), and atribution to a user/Host.

Regards

JaBBa

One update... I think this is a WMI parsing limitation, so a PER might be my only answer...

Message was edited by: Jan vd Merwe

3 Replies
davidp64
Level 9
Report Inappropriate Content
Message 2 of 4

Re: File deletion events - Microsoft Servers

Hello,

Try is : Disable the filter rule i.e The windows filtering platform..and ON the aggregation.

>>>>>David

rgarrett
Level 9
Report Inappropriate Content
Message 3 of 4

Re: File deletion events - Microsoft Servers

Looking at Windows Event 4656  (A handle to an object was requested) I believe destination_filename in custom types gives that information.  I am on the latest version.

Re: File deletion events - Microsoft Servers

Hi rgarrett.

Thanks for this, I also se these fields in my ESM on event 4656. They do not however appear so complete in the event 4663...

Looking at the packet, this information also does not appear threre. I am thinking this might be an issue with the WMI parser for this event.

It would seem that the "Object" field was populated with the same information as the Process/Application field. In the event on the Server, the filname is listed as "Object_Name" so I am thinking this is a parsing issue...

Regards

Jan

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community