How to detect File Deletions using Audit-data (SecurityEvent) & Azure LogAnalytics ?

Recently I was asked to provide a solution to detect file deletions on a file server in a sensitive folder – using audit-data and Azure LogAnalytics.

This can be a little bit tricky due to 2 things:

  • event 4663 will both be logged on file delete and file rename
  • event 4660 is only logged on file delete, but that event doesn’t contain the objectname (filename)

Solution is to make a join on HandleId

Remember to change in the let-statement in the first line

Note: I am also excluding MDE “touching” the file to exclude it from showing up in the output

let ComputerName = "filesrv003p";
SecurityEvent
| where Computer contains ComputerName
| where EventID == 4663
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| extend EventName=tostring(EventData['@Name']), EventValue=EventData['#text']
| evaluate pivot(EventName, any(EventValue), TimeGenerated, EventID)
| where ObjectType == "File"
| where ProcessName !contains "SenseIR.exe" and ProcessName !contains "MsSense.exe"
| extend HandleId = tostring(HandleId)
| join (SecurityEvent
        | where Computer contains ComputerName
        | where EventID == 4660
        | extend EventData = parse_xml(EventData).EventData.Data
        | mv-expand bagexpansion=array EventData
        | extend EventName=tostring(EventData['@Name']), EventValue=EventData['#text']
        | evaluate pivot(EventName, any(EventValue), TimeGenerated, EventID)
        | extend HandleId = tostring(HandleId))
    on HandleId
| project TimeGenerated, ObjectName, SubjectUserName,ProcessName
| sort by TimeGenerated desc

Pre-requisites – Audit configuration

Enable Audit on the folder for a group of users or Everyone. Choose under advanced permissions to log ‘Delete’ and ‘Delete subfolders and files’

Check also the Audit subcategories ‘Handle manipulation’ and ‘File system’ are enabled for success and failures. Otherwise you can enable it using the below 2 commands

auditpol /set /subcategory:"Handle manipulation" /success:enable /failure:enable
auditpol /set /subcategory:"file system" /success:enable /failure:enable

Happy hunting 🙂

Leave a Reply