I am trying to determine if someone is maliciously deleting files from a folder and have auditing turned on for the directory. In combing through the Security Event viewer, I see the files in question with DELETE in the Accesses field. I just want to be sure that this means that the user id associated with this event actually deleted the file specified in the Object Name field of the event in the log. This particular event also shows "ReadAttributes" in the Accesses field.
Can someone confirm that when I see DELETE in the event log, that this is indeed a delete?
Thanks.
Thanks, Linda