PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

How to Monitor Mass File Deletions with EventSentry

Article ID: 543
Category: File Monitoring
Updated: 2026-03-12

Prerequisites:
Before configuring EventSentry, ensure your Windows environment is prepared to track file operations:
1. Advanced Audit Policy: "Audit File System" (Object Access) must be enabled for "Success"(preferably through Group Policy).
2. Auditing must be enabled on the specific folders/drives you wish to protect. Ensure the audit entry is applied to "This folder, subfolders, and files".
3. EventSentry should be installed on the server that needs to be monitored.

Understanding the Events
Once auditing is configured, Windows logs Event ID 4660 (Object Deleted) and 4663 (Object Access). Since event 4660 does not contain the file path or name, we recommend using Event ID 4663 with the 'DELETE' access mask to capture the full file path including user details. Additionally, we suggest filtering by Object Type: 'File' to ensure the alert only targets files rather than other object types.

Step 1: Create an Include Filter for Event 4663
1. In the EventSentry Management Console, navigate to Packages.
2. Create a new package (e.g., "File Deletion Monitoring") or select an existing one.
3. Assign the package to the target host(s) or make it Global.


4. Right-click the package and select Add Filter.
5. Name the filter (e.g., "File Deletion - Event 4663").

Filter Configuration:

  • Log: Security
  • Severity: Audit Success
  • Source: Microsoft-Windows-Security-Auditing
  • Event ID: 4663
  • Content Filter: (Insertion String 9 - Accesses): DELETE
  • Content Filter: (Insertion String 6 - ObjectType): File
  • Use Logical operator 'AND' (requires all conditions to be met).

Step 2: Set the Filter Threshold
For this example, EventSentry will send an email notification whenever a user deletes more than 10 files in a 10-minute window.

Navigate to the Threshold tab of your filter and configure the following parameters:

  • Select: Collector-Side
  • Limit: 10 occurrences in 10 minutes (adjust as needed).
  • Event Logging: When threshold is met.
  • Threshold Matching: Insertiont Strings -> Insertion String 1 (SubjectUserSid).
    Note: Using SubjectUserSid as Insertion String ensures the threshold tracks activity per user. If User A deletes 6 files and User B deletes 8, no alert is triggered, as neither exceeded the threshold.

Step 3: Save (and Deploy)
Ensure you save your changes: Home -> Save.

Step 4: Monitor and Fine-Tune
Once this filter is in place, monitor the alerts and adjust the settings to meet your specific requirements. Remember that you will be notified via email (Default Email Action) whenever the filter's threshold is met.

Important Note: Depending on your infrastructure and specific filter settings, you may want to fine-tune the filter. For example, you can exclude temporary files from triggering this alert by filtering on the ObjectName. By using insertion String 7 (ObjectName), temporary files are excluded from the alert trigger. For example add !*.tmp to exclude .tmp files.

Related Documentation
Defeating Ransomware with Eventsentry Auditing
Folder Auditing and CryptoLocker
Windows Event ID 4660
Windows Event ID 4663


Support Resources

Knowledge Base Knowledge Base
Documentation Documentation
Screenshot Screencasts
Blog Blog

Contact Support

Phone 1-877-NETIKUS
Email support@netikus.net

Tags

auditing windows eventsentry file monitoring

Try EventSentry on-premise

FREE 30-day evaluation

Download Now