Subscribe

SMB file audit delete events

Hi

 

I have a question concerning SMB file audit delete events. We see two different types of events:

 

EVENT_ID: 4659  "Open Object with the intent to delete"

EVENT_ID: 4660  "Delete Object"

 

When we delete a file, event 4659 is always generated, but 4660 not in every case. 4660 is created when deleting MS-Office .tmp files for example.

 

We must to make sure to catch the correct event for the case: "user deletes a file" every time this happens. Can anyone tell my, how to do this?

 

thx and regards

sandsturm