Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

but the SIGFILE is only displaying the TOP level yara file, making it difficult to know exactly what Yara file was triggered. Thank you for any help and consideration.

Hi Mike, Sigfile column only shows the top-level yara file and not the include file that triggered the match. It also has `matches` column that lists the Yara matches.

It uses `libyara` interface for scanning which does not provide a way to get which include yara file the matches belong to. It only tells you the matches based on top-level sigfile.