This osquery release includes the following features, enhancements, and bug fixes:

• Support to capture eBPF based DNS lookup events in case of failed look up events.
• A new table windows_defender_preference to show the current preference of Windows Defender in real-time.
• Support for diagnostic table osquery_yara_signatures to include all YARA rules.
• Support for Bundle ID in osqueryd to create MDM profiles for macOS.
• The process_open_files table support for Windows endpoints.
• Graviton support for Amazon Linux 2.
• YARA support for containers.
• Support for Docker section 5.5 checks.
• Generic compliance checks to validate audit rules.

• yara_events are not generated when file access is enabled in Windows and Linux endpoints.
• The local_timezone column of the utility table time displays UTC instead of the local timezone for Windows endpoints.
• Data is not received for the usb_devices table for Windows endpoints.
• eBPF based DNS events appear before the process events by DNS lookups.
• Duplicate events in the user_events table.
• Unable to perform remediation actions when the Process ID is zero.
• The sender column of the aul table is empty.
• user_events are not getting generated if the --audit_eoe_record_timeout flag is set to non-zero.
• Increase in memory usage for VMs and Kubernetes.
• The status column of the processes table displays integer values instead of text for macOS endpoints.
• The dns_resolvers table does not include IPv6 entries for macOS endpoints.
• The dns_lookup_events table does not include IPv6 DNS queries for macOS endpoints.