Files and processes responsible for file state
It's possible to find the files created by a specific user and the process that created them.
|The path and source path of the file that was created|
|file_events.process_uuid||The process id that was created|
|process_events.username||The user that created it|
SELECT unix_nano_timestamp, path, source_path, file_events.process_uuid, process_events.username FROM file_events LEFT JOIN (SELECT username, process_uuid FROM process_events GROUP BY process_uuid, username) AS process_events ON process_events.process_uuid = file_events.process_uuid WHERE file_events.event_type=1