True, no I agree there. So maybe a good approach would be get a good tool in place to actively listen for threats, and then use osquery on top of that

I generally go with; AV (or your next-gen equiv) is an unfortunate necessity. Osquery is what I turn to when I want behavioral or targeted information about a system (or systems)