Thanks for your advice. I'll give that a go and report back
I have created a correlation rule that filters against all the Sig IDs that I are applicable but I have a problem with File_Type. Looking at the packet info for a particular event shows nothing that maps to that variable. Best I can come up with is TargetFileName that maps to Destination_Filename. And this leads to another puzzle. When I filter against a view using, say, contains(jpg) in the Destination_Filename fields, I see filtered results. When I use the same kind of filter in and alarms I don't get the same results
File_type would be very handy but how would I get that custom type populated?