Can someone explain why on the audit events of a file server there's plenty of 4656 events even if the file or folders have not directly been opened?
For example, if you open the root directory H: , in the events there are lots 4656 related to the folders inside it. If you open the folder H:\examplefolder\ , you will have lots of 4656 for files and folders in it, without touching them.
Thank you
Asked
Active
Viewed 40 times
0
kenlukas
- 2,886
- 2
- 14
- 25
Someonesomewhere
- 1
- 1
1 Answers
0
If you enabled auditing for everything there will be a lot of noise. If list folder is enabled or read attributes for the files then you may want to refine your auditing criteria.
Greg Askew
- 34,339
- 3
- 52
- 81