Hello, Im trying to create a custom filter to return only files that are deleted. Problem is I do not care about .tmp files created and removed by MS Office. How can I exclude any result that has an "ObjectName" which contains ".tmp"?
My Filter looks like this right now. Can someome help me? This returns all deleted items including the .tmp ones.
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='AccessMask'] and (Data='0x10000')]] and
*[EventData[Data[@Name='ObjectName'] and (Data!='.tmp')]]
</Select>
</Query>
</QueryList>