Event-o-Pedia EventID 5140 - A network share object was accessed. [2008 R2 or higher]

	Event Details
	User Activity->Object Access->File System Object Access->Windows 2008->EventID 5140 - A network share object was accessed. [2008 R2 or higher]

EventID 5140 - A network share object was accessed. [2008 R2 or higher]

Linked Event:

EventID 5140 - A network share object was accessed. [2008 R2 or higher]

Sample:

A network share object was accessed.
	
Subject:
	Security ID:		PROD\dtang
	Account Name:		dtang
	Account Domain:		PROD
	Logon ID:		0xf78871b2

Network Information:	
	Object Type:		File
	Source Address:		10.154.14.44
	Source Port:		47799
	
Share Information:
	Share Name:		\\*\InTrustRepository
	Share Path:		\??\C:\Program Files (x86)\Quest\InTrust\Server\InTrust\Repositories

Access Request Information:
	Access Mask:		0x1
	Accesses:		ReadData (or ListDirectory)
===========================
Description template stored in adtschema.dll:
===========================
A network share object was accessed.
	
Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Network Information:	
	Object Type:		%5
	Source Address:		%6
	Source Port:		%7
	
Share Information:
	Share Name:		%8
	Share Path:		%9

Access Request Information:
	Access Mask:		%10
	Accesses:		%11

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Object Access
Source	Microsoft-Windows-Security-Auditing
TaskCategory	File Share
EventId	5140

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime	10.10.2000 19:00:00
Who	Account or user name under which the activity occured.	Subject: Account Name	dtang
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Network share accessed"	Network share accessed
Where	The name of the workstation/server where the activity was logged.	Computer	DC1
Where From	The name of the workstation/server where the activity was initiated from.	Network Information: Source Address	10.154.14.44
Severity	Specify the seriousness of the event.	-	High
WhoDomain		Subject: Account Domain	PROD
WhereDomain		-
Result	Successful or Failed	-
Object Name		Object Name	\\*\InTrustRepository
Object Type		"File Share"	File Share
Whom		InsertionString8	\\*\InTrustRepository
Security ID		Subject: Security ID	PROD\dtang
Account Name		InsertionString2	dtang
Access Mask		Access Request Information: Access Mask	0x1
Accesses		Access Request Information: Accesses	ReadData (or ListDirectory)
Share Name		InsertionString8	\\*\InTrustRepository
Share Path		Share Information: Share Path	\??\C:\Program Files (x86)\Quest\InTrust\Server\InTrust\Repositories
Source Address		InsertionString6	10.154.14.44
Source Port		Network Information: Source Port	47799