File Deletion Attempts In Windows

The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older:

sourcetype="WinEventLog:Security" EventCode=564 |eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Image_File_Name, Type, host | sort - Date

Windows 2008 and newer:

sourcetype="WinEventLog:Security" EventCode=4660 (Security_ID!="NT AUTHORITY*") (Security_ID!="S-*")| eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Account_Name, Process_Name, Keywords, host