In auditing for Event ID 4663 in the security log of a Windows File server for users opening files and I'm finding that there seems to be in my opinion some false positives.
I have a Windows Server 2008 R2 server acting as a File Server that has a handful of network shares for users to interact with. Auditing is enabled via Group Policy. On the security settings for the folder I was testing in particular under the auditing tab "Everyone" is listed with Full control. In my testing I go to a particular folder where let's say there's file A.txt, B.txt and C.txt. From my laptop I connect to the network share, navigate to the folder and click on C.txt, look at it in Notepad then close the app and go review the security log in the event viewer. I'd filter out for 4663 events and am finding that it's reporting that I opened all files in that folder. Is there a better event ID to be monitoring or maybe some alterations are needed to my audit settings to clear this up?
