How to determine new file name from audit log on renaming?

[Windows 2008 R2 File System audit]

When I delete the file, two event log audit messages appear: 4663 which means request for file deletion and 4660 which confirms the deletion. Thay can be joined by attribute Handler.

When I rename the file, two event log audit messages appear: 4663 which means request for file deletion and 4663 for creating new file (but there is only folder path, no filename)

When I move the file from one folder to another, there is the same picture as renaming (because moving is actually renaming, OK)

When I create a new file, no events appear.

So, questions: 1. What am I missing to audit file creation? 2. What am I missing to audit file renaming?


My AuditPol.EXE exports (DACL and SACL):

Category/Subcategory                      Setting
System
  Security System Extension               Failure
  System Integrity                        Failure  
  IPsec Driver                            Failure    
  Other System Events                     Failure  
  Security State Change                   Failure    
Logon/Logoff
  Logon                                   Success and Failure   
  Logoff                                  Success and Failure    
  Account Lockout                         Success and Failure    
  IPsec Main Mode                         Success and Failure    
  IPsec Quick Mode                        Success and Failure    
  IPsec Extended Mode                     Success and Failure    
  Special Logon                           Success and Failure    
  Other Logon/Logoff Events               Success and Failure    
  Network Policy Server                   Success and Failure    
Object Access
  File System                             Success    
  Registry                                No Auditing    
  Kernel Object                           No Auditing    
  SAM                                     No Auditing    
  Certification Services                  No Auditing    
  Application Generated                   No Auditing    
  Handle Manipulation                     No Auditing    
  File Share                              No Auditing    
  Filtering Platform Packet Drop          No Auditing    
  Filtering Platform Connection           No Auditing    
  Other Object Access Events              No Auditing    
  Detailed File Share                     No Auditing    
Privilege Use
  Sensitive Privilege Use                 Failure    
  Non Sensitive Privilege Use             Failure    
  Other Privilege Use Events              Failure    
Detailed Tracking
  Process Termination                     Failure    
  DPAPI Activity                          Failure    
  RPC Events                              Failure    
  Process Creation                        Failure    
Policy Change
  Audit Policy Change                     Failure    
  Authentication Policy Change            Failure    
  Authorization Policy Change             Failure    
  MPSSVC Rule-Level Policy Change         Failure    
  Filtering Platform Policy Change        Failure    
  Other Policy Change Events              Failure    
Account Management
  User Account Management                 Failure    
  Computer Account Management             Failure    
  Security Group Management               Failure    
  Distribution Group Management           Failure    
  Application Group Management            Failure    
  Other Account Management Events         Failure    
DS Access
  Directory Service Changes               No Auditing    
  Directory Service Replication           No Auditing    
  Detailed Directory Service Replication  No Auditing    
  Directory Service Access                Success    
Account Logon
  Kerberos Service Ticket Operations      Success and Failure    
  Other Account Logon Events              Success and Failure    
  Kerberos Authentication Service         Success and Failure    
  Credential Validation                   Success and Failure

Entry:            1    
Resource Type:    File   
User:             CONTOSO\Domain Users    
Flags:            Success    
Accesses:
    FILE_WRITE_DATA
    FILE_APPEND_DATA
    FILE_DELETE_CHILD
    DELETE    
The command was successfully executed.

`


Solution 1:

This is a complex answer. While I collect the relevant links (which consist of the reasons¹ this is hard to reliably accomplish within the auditing system) try this:

Use SysMon and pivot off of EventID 2.

Related unanswered question.

¹ They all boil down to behavior of the CreateFile() API, different parameters it can receive, from where, hooking, architecture and what the consumer does with the handle after they get it. Detecting changes to the created file time should get rid of all of that.