Hello everyone, is there any possible way to define policies in fleet comparing eg running processes with a black- or whitelist, but without having to list every entry from the list manually in the specific query?

I'm not aware of a way of setting "variables" in the SQL per se (@Guillaumemight have other ideas I'm not aware of. fyi @Mo Zhu) But one trick that comes to mind is you could create a table like

1und1_allowed_processes

and then join against it. The table could just be a static list. That would let you manage it via osquery extension in code and use Fleet to deploy the latest extension whenever you make changes. That said, it's probably easier just to hard-code them into the query, and invest in making the format nice and some SQL comments.

Yeah and keep in mind creating tables on osquery will work but they will not exist when osqueryd next restarts, so I would not recommend that.

Yeah and keep in mind creating tables on osquery will work but they will not exist when osqueryd next restarts,

Unless you create a custom osquery extension and add tables that way.

Thanks for your answers!