I've another question; Is there a way for osquery to understand significant changes to something over time? e.g. I want to track number of open connections where that number is a delta between two points in time.

Would it be useful to use the socket_events/bpf_socket_events tables and count the connect actions?

I don't know, we haven't implemented any

event

tables as of now. The documentation makes it seem like it's very resource intensive, and could break in a lot of different ways.

The only alternative close to that is: https://osquery.readthedocs.io/en/stable/deployment/logging/#snapshot-logs

yeah, that's what I was thinking as well. There is also my inexperience with how an

events

table would solve this.

Could you run something like

select count(*) from process_open_sockets

?

That was my original thought actually. The problem is being able to establish a baseline, and then saying "anything over this baseline is alertable." Honestly, I don't know if this is a problem for osquery to solve.

This is something you would typically do in the logging pipeline. Osquery can of course expose the data. I know tools like Elastalert can set up alerts based on changes from baseline.

Yeah, everything we do gets ingested by Streamalert, which doesn't really have the concept of state in this case.