I'm not able to find watchdog events in our SIEM. But I don't know where to check

IF

we're collecting these events in the first place

You'd find these in the status logs. The other thing you can do is schedule a query to the

osquery_schedule

table and look at the

blacklisted

column to see if any queries have been blacklisted by the watchdog.

Thank you, I'll check that out.

Or even better live query the

osquery_schedule

table if you have that capability.