drop file access logs or security evtx csv · flag access to honeypot and canary patterns · insider trip wires · runs locally
4663 / 4656 csv
drop security evtx csv
or click
expects ObjectName + SubjectUserName · event 4663/4656 · optional AccessMask, ProcessName, TimeCreated
custom honeypot patterns
add your decoy filenames · regex example: /confidential.*\.xlsx/i
log
drop 4663/4656 security csv · 230 built-in canary patterns