Hello everyone. As we start planning our rollout, we are looking at how best to limit the impact of osquery to our production systems. I've watched this excellent
presentation by
@zwass, and we plan to leverage pretty much everything he discussed. However, I'm assuming that the data gathered from osquery_schedule is for scheduled queries and not ad-hoc queries. We are planning to schedule as much as possible, but at some point our security team will need to run queries as part of an investigation on a tight timeline and might revert to running something ad-hoc to get results more quickly. Assuming I'm correct in that osquery_schedule won't capture information about these queries, what are others doing to track their performance? Also, I'd love to hear if others have success stories or lessons learned around the items discussed in Zach's talk. Thanks!