3 Replies Latest reply on May 13, 2016 3:03 AM by jabbath3hutt

    File deletion events - Microsoft Servers

    jabbath3hutt

      Hi Guys,

       

      I have come across multiple requests for the monitoring of file deletions on critical systems (MS to start with) and network shares.

       

      Following the recommendations as per the MS articles (remote deletion in this case), can anyone make any more recommendations to improve the usefullness in ESM?

      MS Link : https://blogs.technet.microsoft.com/askds/2009/08/04/tracking-a-remote-file-dele tion-back-to-the-source/

       

      - Events show in ESM, but only the process that deletes the file is listed, not the filename and location (see below)

      - Event in Windows does show the filename and location (in event 4663)

      - We have removed aggregation on the events temporarily to see if more information is gathered, but no luck there...

       

      I would love to hear any solutions to the issue. Would also be helpful if there are some correlation work on Remote File Deletion (from shares), and atribution to a user/Host.

       

      Regards

      JaBBa

       

       

      One update... I think this is a WMI parsing limitation, so a PER might be my only answer...Need to monitor installation software activity on WMI datasource

       

      Message was edited by: Jan vd Merwe