I know we can monitor when files are created, can we monitor if a certain file is altered in anyway?

You should be able to monitor when a file's contents are modified. The relative events table for the OS you are using will let you know a modification happened, but not exactly what was modified. https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/ If you wanted more granular details about what was modified you could try to use the

yara_events

table: https://osquery.readthedocs.io/en/latest/deployment/yara/

@theopolis Thanks!!! yes just knowing it was modified is enough, I don't need to know what was changed.

Tad bit late to this thread but you could have canary files deployed with known sha256 hashes. Then create a query using the hash table to check the hash of the canary file.

SELECT sha256 FROM hash WHERE path="<file>" AND sha256 != <sha256 of canary file>

This might be more practical for envs where you can’t enable file monitoring.

That’s awesome!