Channel: Security.
Events: 5140, 5142, 5143, 5144, 5145.
Channel: Microsoft-Windows-SMBServer/Security.
Events: 1006, 1016, 1020.
Events: 5140, 5142, 5143, 5144, 5145.
Channel: Microsoft-Windows-SMBServer/Security.
Events: 1006, 1016, 1020.
Overview
Advanced auditing policies: Audit File Share
For access and operations on network shares configured on the local system, and access to files and folders hosted on network shares.
By default no events are generated, as network share auditing requires advanced auditing policies to be enabled:
-
Audit File Share, for share access and lifecycle. -
Audit Detailed File Share, for access to hosted files and folders access.
Enabling network share auditing may however generate an overwhelming amount of events.
Events
| Channel | Conditions | Events |
|---|---|---|
Security |
Requires Audit File Share to be enabled. |
Events related to network shares: creation, deletion, modification, and access attempts of network shares. Do not track access to folders and files hosted on network shares. As there are no System Access Control Lists (SACLs) for shares, access to all shares on the system are audited.Event 5140: A network share object was accessed. Generated every time a network share is accessed, but only once per session (upon first access attempt). Object Type is always File for this event. Event 5142: A network share object was added. Event 5143: A network share object was modified. Event 5144: A network share object was deleted. All events include information about the account that performed the operation: username, domain, and SID as well as the Logon ID associated with the logon. Events 5140 also include network information: source IP address and port. |
Security |
Requires Audit Detailed File Share to be enabled. |
Event related to access to folders and files hosted on network shares. The event is generated upon every access to a network shared file or folder (successful or not). Failure events are generated only when access is denied at the file share level, not a the file/folder level. The event may thus not indicate that the access to the shared file or folder was successful. Event 5145: A network share object was checked to see whether client can be granted desired access. Includes information about the account that performed the operation: username, domain, and SID, the Logon ID associated with the logon, and the source IP address and port. |
Microsoft-Windows-SMBServer/Security |
Default configuration. Introduced in Windows 10 version 1507 and Windows Server 2012R2 Update3. |
Event 1006: The share denied access to the client. Generated upon access denied errors when a principal accesses a share without the necessary permissions. Event 1016: Reopen failed. Event 1020: File system operation has taken longer than expected. Both events are generated upon operrationnal issues, but can be an indicator of share access. All events include information about the client’s IP address, username, and share name and path. |
References
View on GitHub