Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Parameters list in Security Event ID 4663

Posted on 2013-12-10
4
916 Views
Last Modified: 2013-12-10
I'm trying to alert when files are deleted in a folder. I turned on auditing for deletes and I see event id 4663 in the security log.  I'm using SCOM 2012 to comb the event log.  

What I need to know is what is the parameters values for this alert.

Specifically, what parameter value is the "DELETE" value.
 

Access Request Information:
      Accesses:      DELETE
0
Comment
Question by:jalenk
  • 2
  • 2
4 Comments
 
LVL 19

Accepted Solution

by:
jss1199 earned 500 total points
ID: 39710165
String01 – Object Type
String02 – Object Name
String03 – Process ID
String04 - Process Name
String05 – Accesses
String06 – Object Server
String07 – Handle ID
String08 – Transaction ID
String09 – Access Mask
String10 – Privileges Used for Access Check
String11 – Restricted SID Count

For your example, you want alert when String 05 contains DELETE
0
 

Author Comment

by:jalenk
ID: 39710170
Thanks.  How did you figure that out? I'll need the same list for event id 4660
0
 

Author Closing Comment

by:jalenk
ID: 39710173
quick!
0
 
LVL 19

Expert Comment

by:jss1199
ID: 39710227
I have it memorized from years of SCOM and ACS :)

The easiest way is to open the event you are concerned about in event viewer, select the copy command.  Paste the contents into notepad and you will have the XMLdata of the event.

If you look under the EventData section, you'll notice a number of <Data Name=".... Each of those is a string and can be referred to as String01, String02, String03, in order, until you reach the end..
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question