what do you suggest for near real-time detections for other events? run incremental query every second? or something else?

Which other events are you looking for? FIM, process_events, hardware_events, disk_events, etc. all work without kernel extension.

for example, network events

Yes, I believe network events are not supported and FIM I believe is fsevents.

and what do you suggest for near real-time detections using those (and more) events? run queries every second and get the data off from endpoint?

For network events? Or for supported event types? I would definitely avoid running queries every second. Maybe something like queries every 10-30 seconds and a logging interval of 10-30 seconds. This seems "real-time" enough for most logging pipelines IME.

no, I mean for all supported events, not network. Is there a way to configure an logging interval for kafka?

I just took a look at the Kafka plugin implementation and it seems to log immediately. Not sure why it doesn't do buffering like the AWS and TLS plugins.

so with kafka the query result is sent as soon as it finishes, well, I can use the query interval only in this case

That sounds right to me

thanks