I guess I misundertand what process_open_files privides in macos. I installed an applicaton under /home/app (forexample( that writes and access a bunch of temp logs under the (/home/app). What I want to do is to check all the files accessed in the sytem post installation. But the result returned from. select * from process_open_files does not show any results under /home/app which I doube checked and am sure new files and folders are created. Anyone know why? And sure some user error.

If I'm reading this correctly, it looks like you're trying to answer the question: "What files were written under

/home/app

?" The

process_open_files

table isn't a great way to answer this question as it only shows currently-open files. Based on what I think you're trying to do, you're probably looking for FIM ("file integrity monitoring"): https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/