Channels
  • e

    etsang

    1 year ago
    how can I use pid as a key to query for file_evernts? I want to know which files a known pid has accessed and changed? I am not seeing pid as part of the file_events table returned.
  • Jocelyn Bothe

    Jocelyn Bothe

    1 year ago
    https://osquery.io/schema/4.7.0/#file_events Do you mean UID rather than PID? return * from file_events where uid is XXX
  • e

    etsang

    1 year ago
    No I was referring to process. I want to find out what a process is doing.
  • Jocelyn Bothe

    Jocelyn Bothe

    1 year ago
    that's not supported by the schema
  • e

    etsang

    1 year ago
    anyone know if there is another query that can find out what files a process has access/changed?
  • Jocelyn Bothe

    Jocelyn Bothe

    1 year ago