The Detailed Execution report includes the user name, the computer where the activity occurred, the time at which the activity occurred, the command that was entered, the process and parent process IDs, the current directory, the actual command that was executed, the command arguments, the “run as” user, whether the command started or not (access status), and any additional access status details (such as “permission denied” if the access status is “failed”).
Note: In the report, the Access Status column lists out whether the command was started successfully or not. This field does not describe whether the command completed successfully or not.
Note: Advanced monitoring does not generate an audit trail event for commands for which you’ve enabled per-command auditing.
You can customize and filter the information included in a Detailed Execution report by specifying the query criteria and saving the report definition.