I had to turn on auditing on some of our server file shares due to either accidental or intentional file/folder deletions & have been experimenting with a couple scripts I found that launches when event id 4663 occurs in the Security log. Unfortunately, along with some other processes that occur which generated 4663, this event id is also generated whenever a file is renamed & as a result, the log file is capturing a lot of superfluous information. I have accessible template folder structures on the server which are used to store various files that relate to customer projects. These templates are copied & then renamed to match whatever the project name is & so hence, each time this occurs, event id 4663 is generated and records each folder / subfolder into the .CSV file I use to import into PostgreSQL. Is there a particular value within the generated array of values that is specific to only the file / folder being deleted? It seems that the hex value 0x10000 (65536) array member doesn’t seem to be filtering as anticipated.