Try is : Disable the filter rule i.e The windows filtering platform..and ON the aggregation.
Looking at Windows Event 4656 (A handle to an object was requested) I believe destination_filename in custom types gives that information. I am on the latest version.
Thanks for this, I also se these fields in my ESM on event 4656. They do not however appear so complete in the event 4663...
Looking at the packet, this information also does not appear threre. I am thinking this might be an issue with the WMI parser for this event.
It would seem that the "Object" field was populated with the same information as the Process/Application field. In the event on the Server, the filname is listed as "Object_Name" so I am thinking this is a parsing issue...