Curious - is anyone piping osquery logs to bigquery? How do you deal with schemas if so? This seems to be the big advantage of logging to ELK, but I’m curious if someone is using Google Bigquery

Haven’t done it personally, but some Cloudflare folks gave a talk about their “serverless” SIEM in GCP using osquery for data collection and BigQuery was a part of it.

ah interesting. I will take a look. I think the hard part of logging to BQ would be dealing with a different schema for every pack you configured, but maybe you could automate something around this…

They had a ton of Cloud Functions to handle that

thanks @sundsta that was my guess, that you’d need to trigger a cloud function to bring up a new table with the right schema when a new pack was created. Maybe neat, but doesn’t sound like a lot of fun.