Hey guys,
The question asks:
Blockquote Output should be displayed as: CRITICAL File below a known binary directory opened for writing (user_id=user_id file_updated=file_name command=command_that_was_run)
I used:
Blockquote File below a known binary directory opened for writing (user_id=%user.uid file_updated=%fd.filename command=%proc.pcmdline)
The solution was:
Blockquote File below a known binary directory opened for writing (user_id=%user.uid file_updated=%fd.name command=%proc.cmdline)
Maybe better clarify if the full path is required or not.