Recently I was asked to provide a solution to detect file deletions on a file server in a sensitive folder – using audit-data and Azure LogAnalytics.
This can be a little bit tricky due to 2 things:
- event 4663 will both be logged on file delete and file rename
- event 4660 is only logged on file delete, but that event doesn’t contain the objectname (filename)
Solution is to make a join on HandleId
Remember to change in the let-statement in the first line
Note: I am also excluding MDE “touching” the file to exclude it from showing up in the output
let ComputerName = "filesrv003p";
SecurityEvent
| where Computer contains ComputerName
| where EventID == 4663
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| extend EventName=tostring(EventData['@Name']), EventValue=EventData['#text']
| evaluate pivot(EventName, any(EventValue), TimeGenerated, EventID)
| where ObjectType == "File"
| where ProcessName !contains "SenseIR.exe" and ProcessName !contains "MsSense.exe"
| extend HandleId = tostring(HandleId)
| join (SecurityEvent
| where Computer contains ComputerName
| where EventID == 4660
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| extend EventName=tostring(EventData['@Name']), EventValue=EventData['#text']
| evaluate pivot(EventName, any(EventValue), TimeGenerated, EventID)
| extend HandleId = tostring(HandleId))
on HandleId
| project TimeGenerated, ObjectName, SubjectUserName,ProcessName
| sort by TimeGenerated desc
Pre-requisites – Audit configuration
Enable Audit on the folder for a group of users or Everyone. Choose under advanced permissions to log ‘Delete’ and ‘Delete subfolders and files’
Check also the Audit subcategories ‘Handle manipulation’ and ‘File system’ are enabled for success and failures. Otherwise you can enable it using the below 2 commands
auditpol /set /subcategory:"Handle manipulation" /success:enable /failure:enable
auditpol /set /subcategory:"file system" /success:enable /failure:enable
Happy hunting 🙂