Consider including decorators in live query results

[marpaia]

Consider including the result of decorators in the result set of a live query, to further contextualize query results

[jessert]

This is a much needed feature to help correlate different queries.

[zwass]

@jessert Can you help me understand how you would use this? Why is JOINing for additional data insufficient?

[jessert]

I am looking to include the uuid in all live queries. I need to import the results of various queries into a database and want to use the uuid as the unique identifier. It seems that I am able to include the system_info table in a query and pull the uuid, but it is not using a join, e.g. SELECT os_version.*, system_info.uuid FROM os_version, system_info

[zwass]

The , operator is synonymous with JOIN. You can also use a subquery if it makes things more clear: SELECT *, (SELECT uuid FROM system_info) uuid FROM os_version.

This should be a good workaround for getting the results you need until someone prioritizes implementing this feature.

[nyanshak]

I was going to investigate adding decorator support to the live-query results because I also think it would be very useful to help contextualize the results. I may be wrong, but I don't think osquery sends the decorator results (or at least not by default), so I'm not yet able to work on this. I had fleet dump the request body and osquery didn't send the decorators by default, and I don't see any flags that look like they would support sending decorator results with distributed query results.

Raised https://github.com/osquery/osquery/issues/6706 in osquery repo to try to address this.