Thank you very much for this. I have imported the new rule but am having difficulty finding the corresponding $EventInfo and $DetectionTime fields - I can't find the "File Audit Alerts Only" field from which to drag and drop the information. Could you explain how you got these fields please?
