Schedule a query against the

osquery_schedule

table to get some information about the queries executing.

Since all of our queries are running under osqueryd, and I run this query using osqueryi....does that explain why I have all "0" for the "execution" and "last_executed" columns?

Yes

Thanks @zwass! Using this method I have discovered that of the ~100 queries we have in 3 custom packs, only one of those packs is getting executed (and of those ~25 or so queries, only 5-6 of them are running). I have checked the config 'sanity' for each pack using the tools listed here: https://osquery.readthedocs.io/en/stable/deployment/debugging/

Can you share your config? Do you have a platform or discovery query set on the pack that is preventing it from executing?

No discovery queries. See attached for the osquery.conf and all active packs.

Which work/don't work?

The majority of them don't appear to be running (see attached)

can you tell me which pack is executing and which are not?

I can't be certain, but it looks like "SYN_threat_hunting1" and "SYN_threat_hunting2" never execute. Also, the majority of the other "windows_attacks" and "windows_hardening" don't execute, just a few from each of those are found in the logs.