is it necessary to enable the appropriate ETW providers first? If so, is that a persistent change to the system state? This is where osquery has trouble trying to adhere to its principles of "don't change system state", but I think it's worth a discussion (other auditing sources can be enabled with registry changes)
03/23/2021, 6:13 PM
From the perspective of osquery, if we can imagine sysmon as an external library and dependency for our source of events. Then we try to enable and add sysmon provider to our publisher's trace and act accordingly. I understand and mentioned in the issue that it's a bit out of osquery's principle. But the benefits of relying on a tool like sysmon are worth considering.
The packaging and enablement of these evented tables can be thought of further. If we agree on this kind of a change 🙂
03/23/2021, 6:18 PM
yea personally I think "osquery will make registry changes to turn on ETW providers" is fine, personally, but I'm interested in what others will say. This is separate from "osquery will opportunistically collect from sysmon if present" which also seems okay
03/23/2021, 6:19 PM
Further, In the current POC, I enabled just a single provider (i.e. Sysmon's provider) inside a single trace session and then distributed the events based on
that describes event type to appropriate subscriber.