- Windows file auditing isn't required to use the Log and Event Manager FIM
- That's still the case. IMHO, reads aren't worth collecting
- The "Writes" can be useful for flagging changes to permissions and ownership
- Some operations will always show NTSYSTEM, but as long as the Agent is running where files are hosted, deletes and creates ought to have user credentials on them
- Solarwinds Log and Event Manager - Configuring FIM and Analyzing FIM Data - YouTube
If you want to tell when someone opened a file vs. a folder with FIM, you can change whether to look for an extension or not (i.e. *.* vs. just *). Or, you can audit the files you're interested in directly and not the parent directory with a mask. Or, if you explicitly want to know about the directory, you can configure FIM without recursion. There's a lot of noise that comes with reading a directory, though, regardless of whether it's windows or FIM auditing.