osquery> select * from ntfs_journal_events WHER...
# windowsx
xiaoliuzi
04/30/2020, 6:07 AMosquery> select * from ntfs_journal_events WHERE action = "FileWrite";
W0430 140710.305126 17384 virtual_table.cpp:967] Table ntfs_journal_events is event-based but events are disabled
W0430 140710.305126 17384 virtual_table.cpp:974] Please see the table documentation: https://osquery.io/schema/#ntfs_journal_events
s
SK
04/30/2020, 6:15 AMHey @xiaoliuzi, probably you must set the '--disable-events=false' flag to make it work as given in the link below. https://osquery.readthedocs.io/en/stable/introduction/using-osqueryi/
x
xiaoliuzi
04/30/2020, 6:23 AMAll keyword values are -1 like this;
xiaoliuzi
04/30/2020, 6:23 AM| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1
s
SK
04/30/2020, 6:36 AMProbably this can give you some direction: https://dactiv.llc/blog/new-in-osquery-4.2/#ntfs_journal_events
This is a new feature that I did not try yet.
6 Views