Channel: Security.
Events: 5140, 5142, 5143, 5144, 5145.
Events: 5140, 5142, 5143, 5144, 5145.
Overview
For access and operations on network shares configured on the local system, and access to files and folders hosted on network shares.
By default no events are generated, as network share auditing requires advanced auditing policies to be enabled:
-
Audit File Share
, for share access and lifecycle. -
Audit Detailed File Share
, for access to hosted files and folders access.
Enabling network share auditing may however generate an overwhelming amount of events.
Channel | Conditions | Events |
---|---|---|
Security |
Requires Audit File Share to be enabled. |
Events related to network shares: creation, deletion, modification, and access attempts of network shares. Do not track access to folders and files hosted on network shares. As there are no System Access Control Lists (SACLs ) for shares, access to all shares on the system are audited.Event 5140: A network share object was accessed . Generated every time a network share is accessed, but only once per session (upon first access attempt). Object Type is always File for this event. Event 5142: A network share object was added . Event 5143: A network share object was modified . Event 5144: A network share object was deleted . All events include information about the account that performed the operation: username, domain, and SID as well as the Logon ID associated with the logon. Events 5140 also include network information: source IP address and port. |
Security |
Requires Audit Detailed File Share to be enabled. |
Event related to access to folders and files hosted on network shares. The event is generated upon every access to a network shared file or folder (successful or not). Failure events are generated only when access is denied at the file share level, not a the file / folder level. The event may thus not indicate that the access to the shared file or folder was successful. Event 5145: A network share object was checked to see whether client can be granted desired access . Includes information about the account that performed the operation: username, domain, and SID , the Logon ID associated with the logon, and the source IP address and port. |
View on GitHub