I currently have an alert set to notify me on any mass modification files over 100. The alert only provides the User, Operation, Source, and Count. I am now being asked to provide the details (what got changed) along with the alert. For example, I would like the alert to not only contain the count per operation, but the actual record of what got changed. Please see my current search string below.
sourcetype=udp:514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions | stats count by user, operation, machine_source | rename user as User, operation as Operation, machine_source as Source, | sort -count | search count>100
Thank you!
Like this
.... | stats count list(details) as whatchanged by user, operation, machine_source | rename ....
Thank you but how do I remove those extra fields? thanks