Yes, that happens in logparser.py parse_event() which replaces c (create file) -> a and d (delete file) -> w.
We probably need to restrict that replacement to file-related operations, which also means to move it to add_event_to_tree() to avoid duplicating the list of operations.
Most important question: Is doing that replacement _only for file rules/events_ the correct behaviour, or are there other rule types that also need that replacement?
Yes, that happens in logparser.py parse_event() which replaces c (create file) -> a and d (delete file) -> w.
We probably need to restrict that replacement to file-related operations, which also means to move it to add_event_to_tree() to avoid duplicating the list of operations.
Most important question: Is doing that replacement _only for file rules/events_ the correct behaviour, or are there other rule types that also need that replacement?