For file access event auditing you need to configure 'options cifs.audit.file_access_events.enable on'.
You'll also need to set the system security ACLs on the files/folders that you wish to have auditing on.
This can be done with Storage-Level Access Guard security, or Windows Properties/Security, or by applying a GPO to propogate the SACLs down through a directory heirarchy.
The internal audit log file is stored as /etc/log/auditlog.alf. The .evt files can be saved off to another location with 'options cifs.audit.saveas <fullpath>'.
You can create a secure share for this path.
You can kill individual cifs sessions with 'cifs terminate'. See the man pages.
I hope this response has been helpful to you.
At your service,
Eugene E. Kashpureff
Fastlane NetApp Instructor and Independent Consultant
(P.S. I appreciate points for helpful or correct answers.)