Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi,
I'm using FIM for windows. Is there a way I can query for file-modification events which also gives the name of the process which modified it ?

Thanks

I don't think that's possible on Windows with osquery today. It might be supported in the newer ETW-based file events table that we are planning: <https://github.com/osquery/osquery/issues/7836#issue-1473557810>.

Thanks for the update. Could you give an idea when this feature would be available in OSquery ?