This is an interesting question tho, if fleet is usind websockets to connect to osquery, why can we not push live queries instead of the current check-in model (or in conjunction with the check-in model)? I'm sure there is a reason why, just curious what is the reason?

Fleet only uses websockets to stream the results from the Fleet server to the browser running Fleet UI. osquery itself doesn't support websockets for the communication between the endpoints and the Fleet server.

@Sarah Gillespie ah that makes sense then.