https://fleetdm.com logo
  • z

    Zach Zeid

    2 years ago
    does 
    ntfs_journal_events
    log every change to every file on windows, or can it be scoped?
  • terracatta

    terracatta

    2 years ago
    It can be scoped with the following config 
    {
  "file_paths": {
    "downloads": [
      "C:\\Users\\foobar\\Downloads",
      "C:\\Users\\foobar\\Downloads\\*"
    ]
  }
}
  • See https://github.com/osquery/osquery/pull/5371
  • z

    Zach Zeid

    2 years ago
    Thank you.