osquery-defense-kit/incident_response/file_events.sql

mirror of https://github.com/chainguard-dev/osquery-defense-kit
-- Return the list of watched file events (must be configured)
--
-- tags: postmortem
-- platform: posix
-- interval: 900
SELECT *
FROM file_events
WHERE time > (strftime('%s', 'now') -900)
Add many new incident response queries 2023-02-23 14:35:38 +00:00			`-- Return the list of watched file events (must be configured)`
			`--`
			`-- tags: postmortem`
			`-- platform: posix`
Collect recent file events 2023-05-12 20:35:00 +00:00			`-- interval: 900`
			`SELECT *`
			`FROM file_events`
			`WHERE time > (strftime('%s', 'now') -900)`