Highlighted
Bechara Super Contributor.
Super Contributor.
353 views

admin share

Jump to solution

Is there a way to monitor who is accessing C$ on a computer? like an event on active directory?

Labels (3)
0 Likes
1 Solution

Accepted Solutions
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: admin share

Jump to solution

You'll likely want to look for the Windows Evnt 5140 - "A network share object was accessed"

Windows Security Log Event ID 5140 - A network share object was accessed

Seems like there isn't a corresponding event in Pre-Windows 2008 versions though.

0 Likes
4 Replies
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: admin share

Jump to solution

You'll likely want to look for the Windows Evnt 5140 - "A network share object was accessed"

Windows Security Log Event ID 5140 - A network share object was accessed

Seems like there isn't a corresponding event in Pre-Windows 2008 versions though.

0 Likes
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: admin share

Jump to solution


Below is the event mapping for those events, and in addition, you'll need to have your audit policy log this particular event category:subcategory [Object Access:FileShare]

The Win2008 mapping doc shows that the Share Name is stored in both File Path and DCS6


5140 A network share objec­­­t was accessed.

Windows 2008 mappings

HP ArcSight ESM Field

Device-Specific Field

Source Address

Network Information:Source Address

File Path

Share Name

Device Custom String 6

Share Name

Windows 2012 mappings:

HP ArcSight ESM Field

Device-Specific Field

Source Address

Network Information:Source Address

Device Custom IPv6 Address 2

Network Information:Source Address

File Path

Share Information:Share Name

File Type

Network Information:Object Type

Device Custom String 1

Access Request Information:Accesses

Device Custom String 6

Share Information:Share Name

0 Likes
grace.chang Absent Member.
Absent Member.

Re: admin share

Jump to solution

Was Richard's answer correct? If so, please mark as correct.

0 Likes
Rashid470102 Absent Member.
Absent Member.

Re: admin share

Jump to solution

hi

EventlogType=Security
&&DetectTime=xxxxxx
&&EventSource=Microsoft-Windows-Security-Auditing
&&EventID=4732
&&EventType=Audit_success
&&EventCategory=13826&&

User=
&&ComputerName=xxxx
&&Description=A member was added to a security-enabled local group.
&&Subject=Security ID=S-1-5-xxx-xxx-xxxx---xxxxx
&&Account Name=xxx9902
&&Account Domain=xxxxx
&&Logon ID=0x5ea80588
&&Member=Security ID=S-1-5-21-xxxxxxxxxx-63644
&&AccountName=
&&Group=Security ID=S-1-5-32-545
&&Group Name=Users
&&Group Domain=Builtin
&&Additional Information=Privileges=

it seems that in the raw event itself the information is not present.

can you please advise.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.