Hello Friends, 

My customer asked for a way to document all the attempts to open a folder/file that results in "access denied". 

I assumed that enabling cifs audit will cover that but I saw the event types in the documentation and none of them seem to be relevant: 

[{file-ops|cifs-logon-logoff|cap-staging|file-share|authorization-policy-change|user-account|security-group|authorization-policy-change}]

Any ideas what is the best way to capture these events?

Thank you!