Network Storage Protocols Discussions

SMB file audit delete events




I have a question concerning SMB file audit delete events. We see two different types of events:


EVENT_ID: 4659  "Open Object with the intent to delete"

EVENT_ID: 4660  "Delete Object"


When we delete a file, event 4659 is always generated, but 4660 not in every case. 4660 is created when deleting MS-Office .tmp files for example.


We must to make sure to catch the correct event for the case: "user deletes a file" every time this happens. Can anyone tell my, how to do this?


thx and regards


Earn Rewards for Your Review!
GPI Review Banner
All Community Forums