hold on, double-checked the docs. Appears I have to manually specify ‘removed: false’ in the pack config? I have not, but the UI shows that the pack/queries are set to diff-ignore.

Did you configure these packs via the UI or

fleetctl

?

fleetctl. This does appear to be a bug of some kind, still confirming. When creating a query pack config file, if ‘removed:false’ is not specified, the mode defaults to including removals. However, the UI displays the ‘Differential (Ignore Removals)’ option. When ‘removed:true’ is used, the UI displays the correct selection - ‘Differential’ I am unsure what is expected default mode if the ‘removed:true/false’ line is not included.

The expected behavior should be like the osquery behavior (as specified in https://osquery.readthedocs.io/en/stable/deployment/configuration/#schedule). This would mean by default removals are included. Sounds like perhaps we are using the correct default, but rendering the wrong value in the UI. I'll look into this.

Thanks, that is what I am thinking as well

I found the issue in the frontend JS