Network Share File Deletions
- Sat, Oct 1 2022 at 6:16 am #1567957Jon AlbrightParticipantMember Points: 128Rank: 2
I had to turn on auditing on some of our server file shares due to either accidental or intentional file/folder deletions & have been experimenting with a couple scripts I found that launches when event id 4663 occurs in the Security log. Unfortunately, along with some other processes that occur which generated 4663, this event id is also generated whenever a file is renamed & as a result, the log file is capturing a lot of superfluous information. I have accessible template folder structures on the server which are used to store various files that relate to customer projects. These templates are copied & then renamed to match whatever the project name is & so hence, each time this occurs, event id 4663 is generated and records each folder / subfolder into the .CSV file I use to import into PostgreSQL. Is there a particular value within the generated array of values that is specific to only the file / folder being deleted? It seems that the hex value 0x10000 (65536) array member doesn’t seem to be filtering as anticipated.
Attachments:You must be logged in to view attached files.
- Sun, Oct 2 2022 at 2:46 am #1567960David JohnsonParticipantMember Points: 56Rank: 1
Open the Event Viewer and search the security log for event ID 4656 with a task category of “File System” or “Removable Storage” and the string “Accesses: DELETE”. https://www.netwrix.com/how_to_detect_who_deleted_file.html#:~:text=Navigate%20to%20%E2%80%9CReports%E2%80%9D%20%E2%86%92%20Click,%E2%80%9D%20%E2%86%92%20Click%20%E2%80%9CView%E2%80%9D.
- Wed, Oct 12 2022 at 11:39 am #1568139Jon AlbrightParticipantMember Points: 128Rank: 2
Thanks for your response David. Been away for a bit & hence the delayed response. Will take a look & see how I can make it work.
- You must be logged in to reply to this topic.