does anyone use <https://osquery.io/schema/4.1.2#f...
# generalz
Zach Zeid
02/18/2020, 8:23 PMdoes anyone use https://osquery.io/schema/4.1.2#file_events to replace their FIM?
z
zwass
02/18/2020, 8:31 PM
Yes, many folks use that for FIM.
z
Zach Zeid
02/18/2020, 8:33 PMCan I assume I would be able to see the diff of changes? or does it just show the sha of the change after the fact?
z
zwass
02/18/2020, 8:34 PM
No diff, just hashes as described in https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
g
Guillaume
02/19/2020, 12:56 AMYeah no file content. But I love using it instead of deploying something else to check that FIM box heh
7 Views