According to my customer,
they saw a user who doesn't exist in seosdb and /etc/passwd file in seos.audit file.
<Date&Time> W FILE <the user> Write 202 4
The user doesn't exist but a process for the user was being run on the Linux box.
Then, a file was accessed by the process.
RedHat Linux 7.2
CA PIM 12.8SP1 Endpoint
Please stop the process and please check LADB.
If the user exists in LADB, please remove the user from LADB.