Hello,

I am trying to setup a report which will list all user activities in the F: drive. PFB my inputs.conf :

[WinEventLog://Security]
disabled = 0
index = fgfdstore
start_from = newest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 15
whitelist1 = 4663,4656
renderXml = false

I have also prepared the below search query :

index=<indexname> Object_Name="F:*" NOT *.*tmp
| eval folder = mvindex(split(lower(Object_Name),"\\"),3)
| table _time, Account_Name, folder, Object_Name, Accesses
| rename Object_Name as "File Path", Account_Name as UserName
| dedup UserName, "File Path", Accesses
| sort -_time

With this setup I am able to track activities like delete, modify, READ_CONTROL and create.
However, I am still not getting records when my colleague opened a file in F: drive as a test run.

Also, I am not able to understand how I can tell if a file is being copied from F: drive without opening it.

My question is, 
1. How can i track if a file is read but not modified ?
2. How can i tell if a file is copied without ever opening it ?

I am new to Splunk and my questions may appear naïve and simple. Any help, guidance and suggestion is highly appreciated.