@Stefano Bonicatti @Mike Myers in file_events logs we are not able to identify who has done it.. Could you suggest which logs would help identify the IP of the person doing the changes in the file ...?

I haven't thought about this so I don't have an immediate answer. Actually I don't see how the host IP address is related to file_events. If you want more information about the cause of the file change you could use

process_file_events

maybe

@Mike Myers In general I was looking for use cases of osquery in file monitoring like in case of any kernel changes..info regarding the person's IP who has done the changes or information about intrusion...these things can be achieved through osquery..if so..how..any links you can share..?

It sounds like you're assuming that the scenario you want to monitor for is when a file is changed by an remote attacker in an interactive shell of some kind. In that case, you'd need to check the process responsible for the file change event you see in

process_file_events

and then determine if that process (or its parent process) had a socket connection open (

process_open_sockets

). Even then, a process could have multiple connections open. There is no direct line of cause from file change back to remote IP address. Every packet would have to be traced from ingress to process receiving it and then traced through that process's execution to perform an analysis of actions it might have caused.

Is the system ur trying to monitor an external webserver? As others mentioned tracing file changes to an IP will likely require multiple data sources

file_events

could be one but u will probably need another to associate it with an IP For example on windows combining the data/timestamps from

file_events

with IIS logs u may be able to associate it with an IP