Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

image.png

Does anyone know if `is_active`  on the `running_apps` table is cached?

<https://osquery.io/schema/5.1.0/#running_apps>

(Seeing out of date results when testing from a macOS device)

Gotta check source for this :slightly_smiling_face:

<https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/tables/system/darwin/running_apps.mm#L43>

Looks like it’s whatever the underlying macOS API returns.