This has come up previously… There are a couple of API calls osquery uses to populate user and process data that trigger that. Some of the windows folks recommend disabling that particular event log — it has a lot of false positive hits.
I recorded some of the details into
https://github.com/osquery/osquery/issues/5840 a prior time. But this exceeds my windows knowledge pretty fast