Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

In your poc, is sysmon still outputting events to the eventlog? Your poc just allows us to more easily manipulate the sysmon data without having to use the `windows_events` table to ship the sysmon logs?

yes sysmon still outputs it's log via it's own trace session. we create a new trace session to receive the events and fwd accordingly. If you notice there are 2 trace sessions, one that we create from event publisher.

<@U2VPE4C0M> yeah. `windows_events` being generic over diff channels and sources can't be projected generically. The data manipulation and types of queries that one create with such tables at endpoint itself opens a new set of opportunity.