To create the template:
1) Open up the change auditor client and go to "View", "Administration"
2) In the lower left, click on the "Auditing" blade
3) A little above that, click on "File System" under the "Server" section
4) In the right hand window, click on the "Add+" button towards the top
5) Give the template a meaningful name (such as: Network Share Auditing)
6) Select the "All drives" radio button directly below that, then click "Add"
7) In the bottom window, scroll all the way to the bottom and under the "Folder Events" column enable the bottom 4 events:
- "Local share added"
- "Local share folder path changed"
- "Local share permissions changed"
- "Local share removed"
8) With those 4 items enabled, click "Next"
9) On the "Inclusions" tab, add in a star (*) and click add, then click "Next"
10) On the "Exclusions" tab, just lick "Next" and then "Finished"
Now the template needs to be assigned to a configuration:
1) Click on the "Assign" button on the menu bar.
2) For each agent configuration in your environment (Listed on the left), you will have to enable the "Network Share Auditing" template (or whatever name that you gave to it)
3) Select the configuration on the left, then in the middle find the line item that corresponds to your template name, click on the red "No" option and change it to a green "Yes".
4) Click "Apply" and then repeat for other configurations.
5) Once all configurations are updated, click "OK"
At this point, your configurations have all been modified, but they haven't been pushed out the agents. This will naturally occur if you want about 20 minutes. If you don't want to wait, you can refresh the configurations on the "Configuration" blade, on the "Agents" item in the upper left. Select the agent or agents that you wish to select (Shift click can select many), then right-click and then select "Refresh configuration"
Now change auditor will be collecting data on Network Share creations, alterations and deletions for any host that has an agent installed.
You can create a search to look for this data:
1) Under the "What" tab, click "Add" then under the events filter, type in "local share". You should see 4 items.
2) Select those, then click "Add" and then click "OK"
3) Add in any other parameters for your search, such as "When"
4) Save and run your search.