I am ingesting file auditing logs to monitor changes to certain files. I am monitoring events 4663 and 4656 which have an Object Name that lists the file path of the accessed file. We are only concerned about .pdf, .doc, and .docx files and would like to filter out any other file type.
Currently I have the below whitelist in place but I am getting stuck trying to figure out how to only ingest certain file types (.pdf, .doc, and .docx) under the Object Name field within the log.
whitelist = 4663,4656
Here is a log 4663 example (I bolded the part we want to filter):
An attempt was made to access an object.
Subject: Security ID: Test User Account Name: Test User Account Domain: Test Logon ID: 12345567