Auditbeat - Triggering file integrity event.action:updated when hash.sha1 is unchanged

I think this is a submitted bug but it's 4 months old and no one has addressed it and it's pretty damn important.

auditbeat seems to be identifying file integrity changes when the file hash has not changed.
Version 7.7.1, 7.8
I'm seeing hash.sha1 has not changed, but I am getting event.action:updated alerts constantly. The only difference is that file.mtime is different each time. Anyone seen this? Have a workaround/fix?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.