jokezone
commented
4 years ago It sounds like you want to monitor when someone replaces or modifies a specific file. Sysmon is not the best tool for auditing detailed changes to the file system. For this, you should look into Windows File System auditing.
For custom rules as file overwrite / create which Event ID should we use to logs changes? Event ID 11 or 2? For example I need log file when changed in path c:\programdata\file.log