Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mystery Incorporated
05/02/2021, 6:29 AMI know we can monitor when files are created, can we monitor if a certain file is altered in anyway?
t
theopolis
05/02/2021, 2:33 PMYou should be able to monitor when a file's contents are modified. The relative events table for the OS you are using will let you know a modification happened, but not exactly what was modified. https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/
If you wanted more granular details about what was modified you could try to use the
yara_eventsIs this what you had in mind?
m
Mystery Incorporated
05/04/2021, 2:53 AM@theopolis Thanks!!! yes just knowing it was modified is enough, I don't need to know what was changed.
c
CptOfEvilMinions
05/04/2021, 6:20 PMTad bit late to this thread but you could have canary files deployed with known sha256 hashes. Then create a query using the hash table to check the hash of the canary file.
SELECT sha256 FROM hash WHERE path="<file>" AND sha256 != <sha256 of canary file>👍 1
m
Mystery Incorporated
05/04/2021, 6:32 PMThat’s awesome!