{"id":263,"date":"2022-12-24T00:28:54","date_gmt":"2022-12-23T23:28:54","guid":{"rendered":"https:\/\/mortenknudsen.net\/?p=263"},"modified":"2022-12-27T22:59:30","modified_gmt":"2022-12-27T21:59:30","slug":"how-to-show-file-deletions-using-ad-audit-loganalytics","status":"publish","type":"post","link":"https:\/\/mortenknudsen.net\/?p=263","title":{"rendered":"How to detect File Deletions using Audit-data (SecurityEvent) &#038; Azure LogAnalytics ?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Recently I was asked to provide a solution to detect file deletions on a file server in a sensitive folder &#8211; using audit-data and Azure LogAnalytics.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This can be a little bit tricky due to 2 things:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>event 4663 will both be logged on file delete and file rename<\/li>\n\n\n\n<li>event 4660 is only logged on file delete, but that event doesn&#8217;t contain the objectname (filename)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Solution is to make a join on HandleId<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Remember to change in the let-statement in the first line<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Note: I am also excluding MDE &#8220;touching&#8221; the file to exclude it from showing up in the output<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>let ComputerName = \"filesrv003p\";\nSecurityEvent\n| where Computer contains ComputerName\n| where EventID == 4663\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| extend EventName=tostring(EventData&#91;'@Name']), EventValue=EventData&#91;'#text']\n| evaluate pivot(EventName, any(EventValue), TimeGenerated, EventID)\n| where ObjectType == \"File\"\n| where ProcessName !contains \"SenseIR.exe\" and ProcessName !contains \"MsSense.exe\"\n| extend HandleId = tostring(HandleId)\n| join (SecurityEvent\n        | where Computer contains ComputerName\n        | where EventID == 4660\n        | extend EventData = parse_xml(EventData).EventData.Data\n        | mv-expand bagexpansion=array EventData\n        | extend EventName=tostring(EventData&#91;'@Name']), EventValue=EventData&#91;'#text']\n        | evaluate pivot(EventName, any(EventValue), TimeGenerated, EventID)\n        | extend HandleId = tostring(HandleId))\n    on HandleId\n| project TimeGenerated, ObjectName, SubjectUserName,ProcessName\n| sort by TimeGenerated desc\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Pre-requisites &#8211; Audit configuration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Enable Audit on the folder for a group of users or Everyone. Choose under advanced permissions to log &#8216;Delete&#8217; and &#8216;Delete subfolders and files&#8217;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"929\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2022\/12\/audit-1024x929.png\" alt=\"\" class=\"wp-image-269\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2022\/12\/audit-1024x929.png 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2022\/12\/audit-300x272.png 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2022\/12\/audit-768x697.png 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2022\/12\/audit.png 1094w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Check also the Audit subcategories &#8216;Handle manipulation&#8217; and &#8216;File system&#8217; are enabled for success and failures. Otherwise you can enable it using the below 2 commands<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>auditpol \/set \/subcategory:\"Handle manipulation\" \/success:enable \/failure:enable\nauditpol \/set \/subcategory:\"file system\" \/success:enable \/failure:enable<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Happy hunting \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently I was asked to provide a solution to detect file deletions on a file server in a sensitive folder &#8230; <\/p>\n<p class=\"read-more-container\"><a title=\"How to detect File Deletions using Audit-data (SecurityEvent) &#038; Azure LogAnalytics ?\" class=\"read-more button\" href=\"https:\/\/mortenknudsen.net\/?p=263#more-263\" aria-label=\"Read more about How to detect File Deletions using Audit-data (SecurityEvent) &#038; Azure LogAnalytics ?\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"ngg_post_thumbnail":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[55,54,57],"tags":[93,18,92,91,47,5,80,15],"class_list":["post-263","post","type-post","status-publish","format-standard","hentry","category-azure","category-azure-loganalytics","category-azure-security","tag-audit","tag-azure","tag-delete","tag-file","tag-file-deletion","tag-loganalytics","tag-microsoftsecurity","tag-securityevent","infinite-scroll-item"],"featured_image_src":null,"author_info":{"display_name":"Morten Knudsen","author_link":"https:\/\/mortenknudsen.net\/?author=1"},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=263"}],"version-history":[{"count":5,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/263\/revisions"}],"predecessor-version":[{"id":316,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/263\/revisions\/316"}],"wp:attachment":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}