for process file events on Windows take a look at

Question

< sundsta> for process file events on Windows take a look at this article

sundsta · Answer

Just posted today Thanks a bunch

sundsta · Answer

This looks similar to file events though which does not include the context of the process

alessandrogario · Answer

That is true it is not possible to retrieve it from the NTFS journal

alessandrogario · Answer

The only ways that I know of to get it is to either use a kernel driver which is a little frowned upon in osquery or attempt to use the Audit ACL but that would mean changing system state

sundsta · Answer

I m not super familiar with Windows internals Is the Audit ACL similar to the audit system on Linux

alessandrogario · Answer

random article <https www varonis com blog windows file system auditing >

alessandrogario · Answer

Audit is a system call tracing facility and that is why it was possible to implement those tables on Linux

sundsta · Answer

Thanks It seems like I can get most of what I want through that and then having osquery send back the data from windows events