The first Event (ID 563) happens when a file is opened with FILE_DELETE_ON_CLOSE which is usually used for temporary files. Netapp will automatically delete that file when the last open file handle to it has been closed. Note that you (or rather a program) can also use that flag to force deletion of a file that is currently in use by another program (it still needs the delete-permission to the file itself of course, you cannot delete random files that way )
Actually, eventID 563 seems to happens even when deleting normal files, not just temporarly. I've installed a netapp simultator and created some shares, and when I try to delete something are always triggered:
Object Open with DELETE access on <filename>
Then, if I press "I'm sure to delete" in explorer.exe:
Object Open with DELETE accesses on <filename>
Object Access Attempt with DELETE and DELETE_CHILD accesses, on <filename>.
Can I safely assume there isn't a delete until I found the last event? Online documentation does not state anything about...
I'm looking for something that avoids me the need of empirically find out "real" action. But again, i found no clear documentation at all.