@pvirani it is entirely possible that there are changes in filesystem for files like

/etc/passwd

and

/etc/sudoers

. It depends on the system and the settings, but atime can change frequently in response to activity of other programs (such as sudo).

aah very interesting! Thanks for that

you should get the outputs for the queries that you're getting alerts on and see what changed. I can't know for sure why the alert triggered since it depends on the specifics, but looking into the reasons is worth it.

yeah for sure

SELECT pe.key AS variable_name, pe.value AS variable_value, p.name AS process_name, p.path AS process_binary, p.uid AS user_id, u.username AS user_name FROM process_envs AS pe JOIN processes AS p ON p.pid=pe.pid JOIN users AS u ON p.uid=u.uid WHERE pe.key='PATH';

but i am unsure of the value you'd get from this. if a new process arrives with a different path string, it would probably make a different output from the last time the query ran. perhaps you have a known good list of paths the PATH variable should include, or known a pattern of dangerous ones?