I had task to check who and when is accessing file shares
First step was to enable folder/files audit
Then i should pull reports out of Event Viewer
Needed to get reports only for subset of shared folders and needed to exclude specific accounts from it
Below script returns time, folder being accessed and account who accessed it.
$EventId = 4663
$results = Get-WinEvent -FilterHashtable @{logname='Security'; id=$EventId; StartTime = "03/24/2023 09:30:00" } |`
Where-Object { $_.message -match "C:\\folder1\\" -or $_.message -match "D:\\folder2" -or $_.message -match "D:\\folder3" -and $_.message -notmatch "Account Name:\s*account1*" -and $_.message -notmatch "Account Name:\s*machine$*"}`
| Select-Object -Property TimeCreated,
@{Label='Account'; Expression={$_.properties[1].Value}},
@{Label='ObjectName'; Expression={$_.properties[6].Value}}
$results | Export-Csv "C:\1.csv" -NoTypeInformation -Encoding UTF8
geekdudes 