diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index ba42551ae667..f18fc61c32d3 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -62,6 +62,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094]
+
 *Functionbeat*
 
 
diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
index 3763ebc12db1..092ad7516d1e 100644
--- a/winlogbeat/docs/fields.asciidoc
+++ b/winlogbeat/docs/fields.asciidoc
@@ -7572,6 +7572,24 @@ type: keyword
 
 --
 
+*`sysmon.file.archived`*::
++
+--
+Indicates if the deleted file was archived.
+
+type: boolean
+
+--
+
+*`sysmon.file.is_executable`*::
++
+--
+Indicates if the deleted file was an executable.
+
+type: boolean
+
+--
+
 [[exported-fields-winlog]]
 == Winlogbeat fields
 
diff --git a/x-pack/winlogbeat/module/sysmon/_meta/fields.yml b/x-pack/winlogbeat/module/sysmon/_meta/fields.yml
index 8ba29416eb49..ff9db37db910 100644
--- a/x-pack/winlogbeat/module/sysmon/_meta/fields.yml
+++ b/x-pack/winlogbeat/module/sysmon/_meta/fields.yml
@@ -8,3 +8,11 @@
     - name: sysmon.dns.status
       type: keyword
       description: Windows status code returned for the DNS query.
+
+    - name: sysmon.file.archived
+      type: boolean
+      description: Indicates if the deleted file was archived.
+
+    - name: sysmon.file.is_executable
+      type: boolean
+      description: Indicates if the deleted file was an executable.
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
index 2e449580d879..d9d454ec1fea 100644
--- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
+++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -1392,6 +1392,63 @@ var sysmon = (function () {
         .Add(removeEmptyEventData)
         .Build();
 
+    // Event ID 23 - FileDelete (A file delete was detected).
+    var event23 = new processor.Chain()
+        .Add(parseUtcTime)
+        .AddFields({
+            fields: {
+                "event.category": ["file"], // pipes are files
+                "event.type": ["deletion"],
+            },
+        })
+        .Convert({
+            fields: [
+                {
+                    from: "winlog.event_data.UtcTime",
+                    to: "@timestamp",
+                },
+                {
+                    from: "winlog.event_data.ProcessGuid",
+                    to: "process.entity_id",
+                },
+                {
+                    from: "winlog.event_data.ProcessId",
+                    to: "process.pid",
+                    type: "long",
+                },
+                {
+                    from: "winlog.event_data.RuleName",
+                    to: "rule.name",
+                },
+                {
+                    from: "winlog.event_data.TargetFilename",
+                    to: "file.name",
+                },
+                {
+                    from: "winlog.event_data.Image",
+                    to: "process.executable",
+                },
+                {
+                    from: "winlog.event_data.Archived",
+                    to: "sysmon.file.archived",
+                    type: "boolean",
+                },
+                {
+                    from: "winlog.event_data.IsExecutable",
+                    to: "sysmon.file.is_executable",
+                    type: "boolean",
+                },
+            ],
+            mode: "rename",
+            ignore_missing: true,
+            fail_on_error: false,
+        })
+        .Add(addUser)
+        .Add(splitHashes)
+        .Add(setProcessNameUsingExe)
+        .Add(removeEmptyEventData)
+        .Build();
+
     // Event ID 255 - Error report.
     var event255 = new processor.Chain()
         .Add(parseUtcTime)
@@ -1436,6 +1493,7 @@ var sysmon = (function () {
         20: event20.Run,
         21: event21.Run,
         22: event22.Run,
+        23: event23.Run,
         255: event255.Run,
 
         process: function (evt) {
diff --git a/x-pack/winlogbeat/module/sysmon/fields.go b/x-pack/winlogbeat/module/sysmon/fields.go
index eeb184deb3b1..8fef032555d1 100644
--- a/x-pack/winlogbeat/module/sysmon/fields.go
+++ b/x-pack/winlogbeat/module/sysmon/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetSysmon returns asset data.
 // This is the base64 encoded gzipped contents of module/sysmon.
 func AssetSysmon() string {
-	return "eJxUzrFuwzAQA9BdX0Fkjz9AQ6fOXVKgs+qjEaG2zr07N9DfF1WTISsJEu+ML/YM775pS0DUWJlxuowAm8qx8pQAoc9W96jaMl4SALxf6UQxIq4Ef9gCS+UqDt8516XOCB3l092UAOPK4sz4ZJSE+y6ncXxGKxsfqkmaTx4lDh8tEH1n/oPf1OSePfk+ahO9Of5XmFUIYxzWKFjUhun17YLvg9an9BsAAP//OQhWnA=="
+	return "eJysjrFOKzEQRXt/xVX6+ANcvOo1NDRBokSOfVcZ4djBM5uwf49iEqGVIiraGd1zzhbvXAJ00WOrDjCxwoDNbhxwbHku3DggU1OXk0mrAf8cALwcqETshB0InlkNk7BkhZ6YZJIEa+O5wnkHdBZGZcCeFh1uu+AGeIsaj7xX+VzVq0WbdXwBW04M1/BL6/l2W/W9Ss3tovheIbVMdNrcKzOm1kfT/+cdPmb2xT+0TlLoY08HOTOvxPvWCmN9JH6qWVI0KmQaksxCu0qlEJeouBN/kYq+8ZNptrgv/ENzxQ/Wu68AAAD//xH3plw="
 }
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx
new file mode 100644
index 000000000000..4258ea01dd7c
Binary files /dev/null and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx differ
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
new file mode 100644
index 000000000000..1e36d89016c6
--- /dev/null
+++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
@@ -0,0 +1,74 @@
+[
+  {
+    "@timestamp": "2020-05-07T07:27:18.722Z",
+    "event": {
+      "code": 23,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon"
+    },
+    "fields": {
+      "event": {
+        "category": [
+          "file"
+        ],
+        "type": [
+          "deletion"
+        ]
+      }
+    },
+    "file": {
+      "name": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat"
+    },
+    "hash": {
+      "sha1": "115106f5b338c87ae6836d50dd890de3da296367"
+    },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}",
+      "executable": "C:\\Windows\\System32\\svchost.exe",
+      "name": "svchost.exe",
+      "pid": 776
+    },
+    "rule": {
+      "name": "-"
+    },
+    "sysmon": {
+      "file": {
+        "archived": true,
+        "is_executable": false
+      }
+    },
+    "user": {
+      "domain": "NT AUTHORITY",
+      "name": "LOCAL SERVICE"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant-2012-r2",
+      "event_id": 23,
+      "process": {
+        "pid": 664,
+        "thread": {
+          "id": 2360
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 11,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 5
+    }
+  }
+]
\ No newline at end of file