Can someone explain why on the audit events of a file server there's plenty of 4656 events even if the file or folders have not directly been opened?
For example, if you open the root directory H: , in the events there are lots 4656 related to the folders inside it. If you open the folder H:\examplefolder\ , you will have lots of 4656 for files and folders in it, without touching them.
Thank you
Asked
Active
Viewed 71 times
0
kenlukas
- 3,101
- 2
- 16
- 26
Someonesomewhere
- 1
- 1
1 Answers
0
If you enabled auditing for everything there will be a lot of noise. If list folder is enabled or read attributes for the files then you may want to refine your auditing criteria.
Greg Askew
- 35,880
- 5
- 54
- 82