Skip to content

Files and processes responsible for file state

It's possible to find the files created by a specific user and the process that created them.

Required Tables

  • process_events
  • file_events

Returned Fields

Field Description
unix_nano_timestamp
path
source_path		 The path and source path of the file that was created
file_events.process_uuid The process id that was created
process_events.username The user that created it

Query

SELECT unix_nano_timestamp,
         path,
         source_path,
         file_events.process_uuid,
         process_events.username
FROM file_events
LEFT JOIN 
    (SELECT username,
         process_uuid
    FROM process_events
    GROUP BY  process_uuid, username) AS process_events
    ON process_events.process_uuid = file_events.process_uuid
WHERE file_events.event_type=1