Is there a way to have the userID (or UserSID or anything that could help identify a user) on an SMB event like create or delete ? it seems thats there are 2 kind of SMB events :
- events (like create or delete) that have a USERSID but the URI points to the file share root (\\stoaccount.file.core.windows.net\nameshare)
- events (like create or delete) that don't have any informations related to the events but have a correct URI (\\stoaccount.file.core.windows.net\nameshare\nameoffile)
i tried solving this issue with the support team but they didn't found a solution to this question , we could'nt even know what the first category of events refer to. which means right now we can't use the log activities as we will miss things or misunderstand events . do anyone use Azure Diag logs on azure file ? it's a critical point for our migration (as we have audit logs on-premise)