This didn't really fit into any of the categories, so I'll post it here.
I'm trying to audit windows file share accesses, but it seems to be quite hard, at least for me.
I have found numerous resources which indicates that the interesting events are: 4656, 4658 and 4663.
However, I have not found a fool-proof way to indicate when someone has actually opened a file. I understand that this may be tricky when it comes to separate directory listing from read file event, but I am qurious how others have succeeded?
Write event is trivial, but read event is what I cannot figure out how to audit that.
Currently, what happens is that if I browse to a directory which is in audit scope, it generates events indicating that I would have browsed to subdirectories, which I have not.
It is very important to get this right, as someone might get fired if the log shows that he/she has accessed a file.