So cool @defensivedepth! Love seeing the culmination of your work on this! Happy to have been involved in any capacity 😊

Excited to see this published, though I haven't had a chance to look at it deeply yet. Have you found that filtering this way results in acceptable performance? I remember we had discussed the possibility of osquery doing more filtering at ingestion time.