Another thing I'm noticing is that the results from the script differ when ran on one of our ec2 instances versus a docker container in gitlab. Testing with stress-ng to see if I can simulate a little system stress for the docker container to try to get more consistent results. More on that later.

It's very plausible that different system configurations would lead to different performance profiles of osquery queries.

Yeah that's a good point. Hopefully I can get it to a point where it flags my known bad queries at least. Doesn't have to be exact though