Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I know we can monitor when files are created,  can we monitor if a certain file is altered in anyway?

You should be able to monitor when a file's contents are modified. The relative events table for the OS you are using will let you know a modification happened, but not exactly what was modified. <https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/>

If you wanted more granular details about what was modified you could try to use the `yara_events` table: <https://osquery.readthedocs.io/en/latest/deployment/yara/>

<@U09M563C7> Thanks!!! yes just knowing it was modified is enough, I don't need to know what was changed.

Tad bit late to this thread but you could have canary files deployed with known sha256 hashes. Then create a query using the hash table to check the hash of the canary file.

`SELECT sha256 FROM hash WHERE path="&lt;file&gt;" AND sha256 != &lt;sha256 of canary file&gt;`

This might be more practical for envs where you can’t enable file monitoring.