Moving this question over to its own post since so it can be marked answered when completed. the last post this was in the orignal poster seems not to have come back
For monitoring USB removable storage I set up a protection rule and only had it monitor explorer.exe When writing files to a USB Device. It recorded each file that was moved to the device.
I would also like to do the same with CD/DVD, but I haven't been able to figure out how to define the internal Windows 7 burner.
I created this post so your answers you put in the other post to this questions I can marked it answered once we are done. didn't know if you wanted to copy and paste your previous post to this threat ?
I am finally getting around to looking at this again and can't figure out step 2 with the tags. I don't have any tags set up so not sure what I need to do if I just want to record all file names people are burning to CD/DVD
I'm working on this same thing myself.
You could create a tag that fires on any file created by these apps. It says that we have to use at least one include before we can use an exclude. Bummer, I was hoping to use an exclude by creating a tag that would never fire but if I have to include a tag, why bother with the exclude?
I can make this rule fire for Windows burner but it only fires on files placed under the user profile /burn/burn directory. Nero just generates garbage. Nothing shows files on the CD/DVD, just files on the local OS that the app has interacted with.
Hope someone else jumps in to help out. If you figure this out, please post!