sigma-rules/docs/audit_policies/windows/sysmon_eventid23_file_delete.md

Sysmon Event ID 23: File Delete

Setup

Caution: Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:

• https://github.com/trustedsec/SysmonCommunityGuide
• https://github.com/olafhartong/sysmon-modular
• https://github.com/Neo23x0/sysmon-config

Some detection rules require the use of Sysmon Event ID 23 (File Delete) events to detect malicious activity, such as an attacker attempting to cover their tracks by deleting tools or logs.

To collect these logs, use the Windows Integration and select the Sysmon Operational channel on the integration setup page.

Configuration Example

The following snippet demonstrates the minimal configuration required to enable Event ID 23 (File Delete). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.

<Sysmon schemaversion="4.90">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <EventFiltering>
        <!-- Log all file delete events -->
        <FileDelete onmatch="exclude"></FileDelete>
    </EventFiltering>
</Sysmon>

Related Rules

Use the following GitHub search to identify rules that use the events generated by this configuration:

Elastic Detection Rules Github Repo Search