osquery-defense-kit/incident_response/file_events.sql

-- Return the list of watched file events (must be configured)
--
-- tags: postmortem events
-- platform: posix
-- interval: 900
SELECT
  *
FROM
  file_events
WHERE
  time > (strftime('%s', 'now') -900)
Add many new incident response queries 2023-02-23 14:35:38 +00:00			`-- Return the list of watched file events (must be configured)`
			`--`
Add events and extra tags to relevant event-based queries 2024-09-24 19:36:03 +00:00			`-- tags: postmortem events`
Add many new incident response queries 2023-02-23 14:35:38 +00:00			`-- platform: posix`
Collect recent file events 2023-05-12 20:35:00 +00:00			`-- interval: 900`
Run reformat 2024-02-16 22:21:00 +00:00			`SELECT`
			`*`
			`FROM`
			`file_events`
			`WHERE`
			`time > (strftime('%s', 'now') -900)`