It is possible to find the files created by a specific user and the process that created them.
Required Tables
- process_events
- file_events
Returned Fields
|
unix_nano_timestamp |
The path and source path of the file that was created |
|
path |
|
|
source_path |
|
|
file_events.process_c8id |
The process c8id that was created |
|
process_events.username |
The user that created it |
Query
SELECT unix_nano_timestamp,
path,
source_path,
file_events.process_c8id,
process_events.username
FROM file_events
LEFT JOIN
(SELECT username,
process_c8id
FROM process_events
GROUP BY process_c8id, username) AS process_events
ON process_events.process_c8id = file_events.process_c8id
WHERE file_events.event_type=1
Comments
0 comments
Please sign in to leave a comment.