Each of these events are prone to false positives from the user's point of view, but not from the OS point of view. Doron already mentioned how Save As generates a Delete event, though i can't understand why. Maybe deleting a Temp file?
You really get into interesting situation when opening an MSOffice file (Word, Excel, etc). For example, just opening a .doc with Word causes that file to be written to. Metadata gets updated to record who opened it last, this is how Word can tell you that someone currently has that file opened if you are trying to edit the same file as someone else. So right off the bat, you can't tell if they opened this file just to read it, unintentionally modifying metadata in the process, or legitimately made changes to it. Additionally, some temp files will get created in the same directory as the file for Autosave and other purposes, so you'll get a bunch of WriteData (or AddFile) accesses logged for the directory itself. Then when you actually click "Save" in Word, the temp files will get deleted, and unless I am getting my applications confused, the actual original file itself will get deleted as well, and then a new file with all the incorporated changes will get created.
Don't mean to discourage you, just wanted to make sure you know what you were up against.
BTW, got a note from Support last night that they replicated our issue with the latest version of the connector and opened a bug, TTP 62627. Please call support and have them update your case with that bug ID as well as adding your company to the list of those waiting for the resolution.
.png "dkeller"){kind=avatar}
