• k

    KaremAli

    2 years ago
    Hello, ntfs_journal_events is not displaying any result for FIM this is the config
    {
      "options": {
        "host_identifier": "WindowsTest",
        "utc": "true"
      },
      "schedule": {
        "users": {
          "query": "select 'users' AS query_name, uid,username from users;",
          "interval": 10
        }
      },
      "file_paths": {
        "downloads": [
          "C:\\Users\\Noname\\Downloads",
          "C:\\Users\\Noname\\Downloads\\*"
        ]
      }
    }
    ** osqueryi.exe --config-path='path to config' --disable-events=false ** USN is enabled on my device and I make changes to file on downloads but it's not reflecting in osqueryi ** I check the change in USN by parsing it using MFTCMD (Eric tool) and the changes are displayed any idea for solving this ?
  • I just had to enable ntfs_event_publisher I noticed this from config in here:https://dactiv.llc/blog/new-in-osquery-4.2/#ntfs_journal_events
  • theopolis

    theopolis

    2 years ago
    🎉