According to my customer,
they saw a user who doesn't exist in seosdb and /etc/passwd file in seos.audit file.
<Date&Time> W FILE <the user> Write 202 4
RedHat Linux 7.2
CA PIM 12.8SP1 Endpoint
The user doesn't exist but a process for the user was being run on the Linux box.
Then, a file was accessed by the process.
Please stop the process and please check LADB.
If the user exists in LADB, please remove the user from LADB.