I recently setup a honeypot share on a Windows server. I put some very “interesting” files and directories in there (financial information, PII etc) and then enabled audit logging in Windows. There’s a very powerful but mostly unknown Windows tool called LogParser which can be used to query your System/Security event logs. It’s possible to write a script that will query your system security log every so often and look for requests to the honey pot. You can get very sophisticated using LogParser, a few hand written scripts, and the Windows Task Scheduler.