https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
k

KaremAli

07/27/2020, 8:46 AM
Hello, ntfs_journal_events is not displaying any result for FIM this is the config
Copy code
{
  "options": {
    "host_identifier": "WindowsTest",
    "utc": "true"
  },
  "schedule": {
    "users": {
      "query": "select 'users' AS query_name, uid,username from users;",
      "interval": 10
    }
  },
  "file_paths": {
    "downloads": [
      "C:\\Users\\Noname\\Downloads",
      "C:\\Users\\Noname\\Downloads\\*"
    ]
  }
}
** osqueryi.exe --config-path='path to config' --disable-events=false ** USN is enabled on my device and I make changes to file on downloads but it's not reflecting in osqueryi ** I check the change in USN by parsing it using MFTCMD (Eric tool) and the changes are displayed any idea for solving this ?
I just had to enable ntfs_event_publisher I noticed this from config in here: https://dactiv.llc/blog/new-in-osquery-4.2/#ntfs_journal_events
👍 1
t

theopolis

07/27/2020, 3:29 PM
🎉
4 Views
Powered by