SMB file audit delete events
2017-11-20 01:33 AM
I have a question concerning SMB file audit delete events. We see two different types of events:
EVENT_ID: 4659 "Open Object with the intent to delete"
EVENT_ID: 4660 "Delete Object"
When we delete a file, event 4659 is always generated, but 4660 not in every case. 4660 is created when deleting MS-Office .tmp files for example.
We must to make sure to catch the correct event for the case: "user deletes a file" every time this happens. Can anyone tell my, how to do this?
thx and regards