Thanks - I can see the websocket connection in developer tools, not sure where it is getting the parameters to build the request after the initial run though.
1) a run is issued, /api/v1/kolide/queries/run
2) then a /api/v1/kolide/results/info?t={{numeric value}}
3) completes with a /api/v1/kolide/results/{{numeric value}}/{{alpha numeric value}}/websocket
The values used in the 2nd and 3rd request are not present in the response of the first request