<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Archived</span>
<span class="pill kill-chain">Channel</span>
<span class="pill kill-chain">Computer</span>
<span class="pill kill-chain">EventChannel</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventData_Xml</span>
<span class="pill kill-chain">EventDescription</span>
<span class="pill kill-chain">EventID</span>
<span class="pill kill-chain">EventRecordID</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">Hashes</span>
<span class="pill kill-chain">IMPHASH</span>
<span class="pill kill-chain">Image</span>
<span class="pill kill-chain">IsExecutable</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">MD5</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">Opcode</span>
<span class="pill kill-chain">ProcessGuid</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">ProcessId</span>
<span class="pill kill-chain">RecordID</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">RuleName</span>
<span class="pill kill-chain">SHA256</span>
<span class="pill kill-chain">SecurityID</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">System_Props_Xml</span>
<span class="pill kill-chain">TargetFilename</span>
<span class="pill kill-chain">Task</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">TimeCreated</span>
<span class="pill kill-chain">User</span>
<span class="pill kill-chain">UserID</span>
<span class="pill kill-chain">UtcTime</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">file_hash</span>
<span class="pill kill-chain">file_modify_time</span>
<span class="pill kill-chain">file_name</span>
<span class="pill kill-chain">file_path</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">process_exec</span>
<span class="pill kill-chain">process_guid</span>
<span class="pill kill-chain">process_id</span>
<span class="pill kill-chain">process_name</span>
<span class="pill kill-chain">process_path</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tag::object_category</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Sysmon EventID 23
Description
Logs the deletion of a file, including details about the file path, associated process, and the time of deletion.
Details
| Property | Value |
|---|---|
| Source | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sourcetype | XmlWinEventLog |
| Separator | EventID |
Related Detections
Supported Apps
- Splunk Add-on for Sysmon (version 5.0.0)
Event Fields
Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>23</EventID><Version>5</Version><Level>4</Level><Task>23</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-01T10:57:09.815326000Z'/><EventRecordID>281771</EventRecordID><Correlation/><Execution ProcessID='2612' ThreadID='2304'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-865.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-02-01 10:57:09.814</Data><Data Name='ProcessGuid'>{F522A29C-446D-63DA-9F01-00000000BB02}</Data><Data Name='ProcessId'>2428</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Image'>C:\Temp\swiftslicer.exe</Data><Data Name='TargetFilename'>C:\Python311\vcruntime140_1.dll</Data><Data Name='Hashes'>MD5=75E78E4BF561031D39F86143753400FF,SHA256=1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E,IMPHASH=BF380CA954CBF10D1A4CEF9EC18E46FD</Data><Data Name='IsExecutable'>true</Data><Data Name='Archived'>false - insufficient disk space</Data></EventData></Event>
Required Output Fields
-
action
-
dest
-
dvc
-
file_path
-
file_hash
-
file_name
-
file_modify_time
-
process_exec
-
process_guid
-
process_id
-
process_name
-
process_path
-
signature
-
signature_id
-
user
-
user_id
-
vendor_product
Source: GitHub | Version: 3