# Events with osquery <!-- Put the link to this slide here so people can follow -- slide: https://hackmd.io/p/OR4rWLFzT3aS9Ju1qmKPfw --> --- ## Quick Recap - live queries <!-- what's happening here is that fleet is sending this query to each host, and gathering the results back from each host --> - scheduled queries <!-- similarly we can run a query on a schedule, and the results will be sent to whatever we have configured: filesystem, TLS server like fleet, or even somewhere like amazon kinesis --> why do we need events? --- ## Evented Tables - Tables that end in `_events` - Some Example tables: - `disk_events` - `file_events` - `process_events` - `socket_events` - `hardware_events` - ...and may more - We will take a closer look at some of these in an upcoming module --- ## Evented Tables - Behind the scenes (simplified) - osquery stores them internally in RocksDB - They expire after a certain time --- ## Evented Tables - Things to note: - Platform differences - Configuration Options - Performance Considerations --- ## Demo - Let's use `disk_events` on macOS <!-- Most of the applications are distributed as disk images on macOS, they are the files with dmg extension. These are virtual disks that get mounted when a user double clicks. Sometimes malware on macOS also gets distributed this way, by hijackling a download link, and pretending to be