I did a little bit of work with an extensions to replay data for testing. But I got hung up on duplicate table names and didn't revisit it.

Hey @seph I was thinking if there was a way to replay Windows Event logs in a VM, we might at least be able to check the "windows_events" possibly also the "powershell_events table". But this will become more useful when OSQuery can parse the data column and put all data in separate fields. Hopefully this will do that https://github.com/osquery/osquery/pull/6280/commits/b8a1c68afd2678988fc311c7a4e692f90d111bec

I don't know windows well enough to know if there are good replay opportunities