Version

All Versions of Argent AT

Date

Friday, 22 January 2021

Summary

This article describes how to alert on file audit event for deletion using Argent for Compliance.

Technical Background

A file deletion in Microsoft Windows generates Event IDs: 4656, 4663, 4660 and 4658. They are correlated by object handle ID and process ID.

Alert with single Event ID, e.g. 4656, does not always give accurate trace.

Therefore, Argent for Compliance was designed to use a sequence of file audit events to identify deletion operation.

Resolution

Edit the licensed node’s properties as below

Assign desirable email alert to ‘File Deletion Alert’ field

Click For Full Size

After the above edits, customer should ensure an appropriate Windows Event Log Rule was used for monitoring.

The objective is to ensure Argent scans the monitored node’s security event log.

The deletion alert logic will be honored even if the rule is set to ‘Just Archive’

Click For Full Size