KBI 311905 How To Alert File Deletion Audit Event Using Argent for Compliance


All Versions of Argent AT


Friday, 22 January 2021


This article describes how to alert on file audit event for deletion using Argent for Compliance.

Technical Background

A file deletion in Microsoft Windows generates Event IDs: 4656, 4663, 4660 and 4658. They are correlated by object handle ID and process ID.

Alert with single Event ID, e.g. 4656, does not always give accurate trace.

Therefore, Argent for Compliance was designed to use a sequence of file audit events to identify deletion operation.


Edit the licensed node’s properties as below

Assign desirable email alert to ‘File Deletion Alert’ field

After the above edits, customer should ensure an appropriate Windows Event Log Rule was used for monitoring.

The objective is to ensure Argent scans the monitored node’s security event log.

The deletion alert logic will be honored even if the rule is set to ‘Just Archive’