Thanks for your inputs @puffycid @Mike Myers. I have been checking other solutions that read windows events and they definitely do something different to read analytic logs vs normal windows logs. I dont know if you guys consider this a bug or a FR, but i opened https://github.com/osquery/osquery/issues/7322 as a Feature Request. Definitely many of our customers are very interested in querying those logs, and i think it would be a nice feature for osquery to have to complete the windows events support.

It's right in that grey area of feature/fix but thanks for creating an issue to track it! Trail of Bits will definitely put this on our list of improvements to propose/suggest to our osquery sponsors