File monitor report
If you have configured your auditing installation to perform advanced monitoring, the File Monitor report shows the sensitive files being modified by users on the audited machines. The File Monitor report includes any activity by any user (except root, -1) in the following protected areas on audited machines:
The report includes the user name, the computer where the activity occurred, the time at which the activity occurred, the filename, the current directory, the kind of file access was attempted, if the file access was successful or not, the command that was used, the process and parent process IDs, and the “run as” user.
Note: If a monitored file is renamed, the report displays both the original and new filename. The order of filenames may differ slightly on each operating system.