Hi everyone! I'm looking for guidance how query files for specific content, for example files with emails. Usecase - monitoring exporting data from sources.

which target OS? any specific example file for us to look at? in general reading arbitrary files goes against overall vibe of osquery (my personal take at least). You can "carve" files if you have that feature enabled/setup, otherwise on say macos, reading files is kind of limited to .plist format. One hack I have used in the past on macos is to leverage the spotlight query capability since macos natively indexes files based on some content. My general approach to that method is to run something like "mdls <your_file>" and see if spotlight identified any interesting metadata fields that contain the string or email of what you are searching for. If that is the case, then you can do a simple metadata based query to return all files in the spotlight index that match your pattern.

On macOS you can query spotlight index (mdfind), there’s a blog post about that here https://www.kolide.com/blog/how-to-spotlight-search-across-every-mac-with-osquery