Mundy

IT Knowledge Base

User Tools

Site Tools


Sidebar

Contact me at dan@mundy.co for any feedback or suggestions.


My other sites:

Search all my sites:

file_system_auditing

File System Auditing

  1. Enable auditing on the computer via group policy
  2. Select which folders to audit by going to the properties, auditing tab
  3. Monitor security event logs




Event log filter to show the auditing events

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4663)]]
     and                   
     *[EventData[Data[@Name='objectname'] and Data="C:\Users\test\AppData\Local\Microsoft\Outlook\Outlook.ost"]]
</Select>
  </Query>
</QueryList>
file_system_auditing.txt · Last modified: 2018/04/09 09:56 (external edit)