I am trying to report on a File Monitoring report that picks up all operations such as Read, Created, Wrote etc. However, I only want to see Read records where the individual accessed a document. I do not care about Read’s accessing a folder. Keeping in mind that I also want to see all other operation types. I’m thinking of a search command where the Read operation is within parenthesis looking specifically in the directory field for a File extension.
Here is my search criteria:
host = 10.0.0.3 "D:\\Data\\public\\human" | transaction user, _time | table user, operation, directory, _time,
↧