• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1071
  • Last Modified:

Parameters list in Security Event ID 4663

I'm trying to alert when files are deleted in a folder. I turned on auditing for deletes and I see event id 4663 in the security log.  I'm using SCOM 2012 to comb the event log.  

What I need to know is what is the parameters values for this alert.

Specifically, what parameter value is the "DELETE" value.

Access Request Information:
      Accesses:      DELETE
  • 2
  • 2
1 Solution
String01 – Object Type
String02 – Object Name
String03 – Process ID
String04 - Process Name
String05 – Accesses
String06 – Object Server
String07 – Handle ID
String08 – Transaction ID
String09 – Access Mask
String10 – Privileges Used for Access Check
String11 – Restricted SID Count

For your example, you want alert when String 05 contains DELETE
jalenkAuthor Commented:
Thanks.  How did you figure that out? I'll need the same list for event id 4660
jalenkAuthor Commented:
I have it memorized from years of SCOM and ACS :)

The easiest way is to open the event you are concerned about in event viewer, select the copy command.  Paste the contents into notepad and you will have the XMLdata of the event.

If you look under the EventData section, you'll notice a number of <Data Name=".... Each of those is a string and can be referred to as String01, String02, String03, in order, until you reach the end..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now