KBI 311905 How To Alert File Deletion Audit Event Using Argent for Compliance
Version
All Versions of Argent AT
Date
Friday, 22 January 2021
Summary
This article describes how to alert on file audit event for deletion using Argent for Compliance.
Technical Background
A file deletion in Microsoft Windows generates Event IDs: 4656, 4663, 4660 and 4658. They are correlated by object handle ID and process ID.
Alert with single Event ID, e.g. 4656, does not always give accurate trace.
Therefore, Argent for Compliance was designed to use a sequence of file audit events to identify deletion operation.
Resolution
Edit the licensed node’s properties as below
Assign desirable email alert to ‘File Deletion Alert’ field
After the above edits, customer should ensure an appropriate Windows Event Log Rule was used for monitoring.
The objective is to ensure Argent scans the monitored node’s security event log.
The deletion alert logic will be honored even if the rule is set to ‘Just Archive’