It's not an easy sell to ask people to deploy osquery + sysmon / sysmon filter config. Would be much easier if we could just deploy osquery and be done with it

Have you tried this extension? - https://github.com/eclecticiq/osq-ext-bin I've been doing a lot of testing with it and it can provide very similar visibility as sysmon and no need for an additional agent. Disclaimer: I am not affiliated with that team, I just use the product.

I agree that having this visibility right into Osquery and not have to rely on external tools such as sysmon is the way to go. Regarding the osq-ext-bin extension, I looked into it in the past. The extension is doing a great job on providing extra visibility on windows. The only drawback is that the extension installs a new windows kernel driver to retrieve the visibility data, which is not ideal imo for a couple of reasons (unexpected crashes, system state changed, compatibility, etc)