Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey all, happy friday! Looking at some macOS FIM events where "uid" is blank, anyone know why this would be the case or what it could implicitly mean?

I am assuming this is the `file_events` table (and not the `es_process_file_events`)…I will have to dive deeper in the code, but IIRC it’s only `CREATED` and `UPDATED` that populates those (I will have to double check in a bit)

and it might require a join with the `file` table too

similarly the `ms5,sha1,sha256` columns might require a join with the `hash` table

nvm, the join should be done by the code itself

I am wondering is this this related to permissions (Full Disk Access and such), or this is on any file?

This is on monterey, and primarily across a select number of files including primarily /private/etc/cups/certs/0 and some child objects in /private/var/root/Library/Caches/rtcreportingd/events/NRM_Events_*

all actions on /private/etc/cups/certs/0 is "DELETED"

I will probably end up excluding that file from the query

Thanks for the additional context, this maybe a bug/caveat, I will try to dig in deeper 