Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi all :wave: I've got a few FIM-related questions; any pointer would be appreciated. :pray:
For those of you who use the `inotify`-based `file_events` table, how do you handle containers? Specifically:
- how do you dynamically configure osquery to apply FIM queries to new containerd containers?
- how do you get container metadata, such as k8s pod and deployment info, added to each `file_event` result?

the short answer is you don't :(. currently it's not simple to get fim activity especially from via inotify event feed. there is not a lot of context around inotify fim events.