how can I use pid as a key to query for file_evernts? I want to know which files a known pid has accessed and changed? I am not seeing pid as part of the file_events table returned.

https://osquery.io/schema/4.7.0/#file_events Do you mean UID rather than PID? return * from file_events where uid is XXX

No I was referring to process. I want to find out what a process is doing.

that's not supported by the schema

anyone know if there is another query that can find out what files a process has access/changed?