Hey all happy friday Looking at some macOS FIM events where

Question

Hey all happy friday Looking at some macOS FIM events where uid is blank anyone know why this would be the case or what it could implicitly mean

sharvil · Answer

I am assuming this is the `file events` table and not the `es process file events` I will have to dive deeper in the code but IIRC it s only `CREATED` and `UPDATED` that populates those I will have to double check in a bit

sharvil · Answer

and it might require a join with the `file` table too

sharvil · Answer

similarly the `ms5 sha1 sha256` columns might require a join with the `hash` table

sharvil · Answer

but could be just a bug

sharvil · Answer

nvm the join should be done by the code itself

Brandon Mesa · Answer

Correct these come from file events

sharvil · Answer

Is this on Ventura

sharvil · Answer

I am wondering is this this related to permissions Full Disk Access and such or this is on any file

Brandon Mesa · Answer

This is on monterey and primarily across a select number of files including primarily private etc cups certs 0 and some child objects in private var root Library Caches rtcreportingd events NRM Events

Brandon Mesa · Answer

all actions on private etc cups certs 0 is DELETED

Brandon Mesa · Answer

I will probably end up excluding that file from the query

sharvil · Answer

Thanks for the additional context this maybe a bug caveat I will try to dig in deeper