I think this is a submitted bug but it's 4 months old and no one has addressed it and it's pretty damn important. https://github.com/elastic/beats/issues/17347
auditbeat seems to be identifying file integrity changes when the file hash has not changed.
Version 7.7.1, 7.8
I'm seeing hash.sha1 has not changed, but I am getting event.action:updated alerts constantly. The only difference is that file.mtime is different each time. Anyone seen this? Have a workaround/fix?