Hi, I'm using FIM for windows. Is there a way I can query for file-modification events which also gives the name of the process which modified it ? Thanks

I don't think that's possible on Windows with osquery today. It might be supported in the newer ETW-based file events table that we are planning: https://github.com/osquery/osquery/issues/7836#issue-1473557810.

Thanks for the update. Could you give an idea when this feature would be available in OSquery ?

There is no timeline as of now.