Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

when defining query packs, do you _have_ to define a query separately and then reference by name? or can you just define the query itself

Yes, queries must be defined separately and referenced by name. It could be interesting to allow them to be defined inline.

It just makes the config file simpler IMO

there’s also no support for the bulit-in query packs right?

that are dropped on the host when osquery is installed?

Many folks convert those query packs with `fleetctl convert` and use them.

The osquery distributed packs are highly unmaintained. Caution is recommended.