Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Thanks - I can see the websocket connection in developer tools, not sure where it is getting the parameters to build the request after the initial run though.

1) a run is issued, /api/v1/kolide/queries/run
2) then a /api/v1/kolide/results/info?t={{numeric value}}
3) completes with a /api/v1/kolide/results/{{numeric value}}/{{alpha numeric value}}/websocket

The values used in the 2nd and 3rd request are not present in the response of the first request

Looks like /api/v1/kolide/results/info?t={{numeric value}} is just a info request and can be omitted if running programmatic. The larger question is what are the values used to construct the 3rd request /api/v1/kolide/results/{{numeric value}}/{{alpha numeric value}}/websocket

After the third request is constructed you can send traditional websocket request on the campaign

<@UGMMZ04LC> did you manage to get the results via the websockets ? Can you throw some pointers please