monitoring, by security equipment comprising a processor, resource sharing communication between first network equipment and second network equipment via a network;

based on the resource sharing communication, determining, by the security equipment, an access activity pattern comprising one or more access command metrics, resulting in a determined access activity pattern;

determining that the one or more access command metrics correspond to the determined access activity pattern having at least a likelihood of indicating a data leakage event based on a normal access activity pattern that comprises one or more normal access command metrics; and

in response to determining that the one or more access command metrics has at least the likelihood of indicating the data leakage event, facilitating, by the security equipment, a mitigation action being performed to mitigate the data leakage event,

wherein the resource sharing communication comprises one or more commands from the first network equipment to access storage units stored by the second network equipment, and wherein the one or more commands from the first network equipment to the access storage units stored by the second network equipment comprise a connect command followed by a read command followed by a disconnect command, and wherein the one or more access command metrics of the determined access activity pattern comprise copying all files in a directory after the connect command and disconnecting after all of the files in the directory have been copied without other commands from the first network equipment to the access storage units stored by the second network equipment occurring between the connect command and the disconnect command.