Does Windows version of OSquery support Socket_events and Process_events tables? From my understanding it does not... From Linux : "platform": "linux", "schedule": { "process_events":{ "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events ;", "interval": 10, "description": "Process events collected from the audit framework" }, "socket_events":{ "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE remote_address NOT IN ('127.0.0.1', "interval": 10, "description": "Socket events collected from the audit framework" }, -- I am trying to figure out windows equivalent of these queries

osquery.io/schema is your friend here

thats what my understanding was - thanks @zwass

Windows equivalent of AuditD would be ETW, but the last time I looked, there was no ETW publisher you could turn on that would correlate process events and socket events. You had to attempt to do it yourself, but that approach is prone to race conditions.

There are a handful of osquery tables that require users to change host configs for deployment. Could that be solution here?

@Shan, at PolyLogyx we have built these tables thru an extension (not the core) as they leverage kernel components. If it interests you, feel welcome to pick the extension from: https://github.com/polylogyx/osq-ext-bin

Will do. thanks for the info guys. appreciate it.