5145 A network share object was checked for desired access (detailed file share)
Written when access is checked for an individual file/folder within a network share. It captures, in detail, which files were accessed via a share, and is usable to detect data exfiltration.
Overview
The subcategory is Audit Detailed File Share. Whereas share access 5140 shows “entered the share,” 5145 records the access check for each object within the share (per file name). It includes the requested rights, target file, and source IP.
How it is triggered
- Each time access to a file/folder within a share is requested and checked.
- There are success (S) and failure (F) variants; denied access is also recorded.
Security review points
- Detecting data exfiltration: you can track, per file name, which account accessed which file in a share from which IP. Reading many files in a short time is a sign of data collection/exfiltration.
- Note unexpected access to sensitive shares/files, and bursts of denials (F) (probing permissions). Correlate with share access 5140 and network logon 4624.
Notes for log review
- It appears in huge volume on file servers. Aggregate by target file, source, and count, and narrow to access to sensitive data or bulk reads.
- Because the audit load is high, it is practical to enable it only on important shares.
Key fields
| Field | Meaning |
|---|---|
Share Name / Relative Target Name | The share and the file/folder within it |
Source Address | The accessing IP |
Access Mask | The requested access rights |
Subject\Account Name | The accessing account |