Hi All
I would like to monitor "4670: Permissions on an object were changed".
I have the following query:
index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "."
| search [inputlookup xxxxxx.csv]
| Table _time EventCode Account_Name "Object_Type" "Object_Name"
| rename EventCode AS "Event", "Account_Name" AS "User", "Object_Type" AS "Object", "Object_Name" AS "Folder"
In the results I get the root folder and all it subfolders.
How can I exclude the subfolders from the results so I just get the root folder?
Regards
... View more