Osquery Release notes - Release 4.6.6
This osquery release includes the following features, enhancements, and bug fixes:
Features and Enhancements
- Support to capture eBPF based DNS lookup events in case of failed look up events.
- A new table windows_defender_preference to show the current preference of Windows Defender in real-time.
- Support for diagnostic table osquery_yara_signatures to include all YARA rules.
- Support for Bundle ID in osqueryd to create MDM profiles for macOS.
- The process_open_files table support for Windows endpoints.
- Graviton support for Amazon Linux 2.
- YARA support for containers.
- Support for Docker section 5.5 checks.
- Generic compliance checks to validate audit rules.
- yara_events are not generated when file access is enabled in Windows and Linux endpoints.
- The local_timezone column of the utility table time displays UTC instead of the local timezone for Windows endpoints.
- Data is not received for the usb_devices table for Windows endpoints.
- eBPF based DNS events appear before the process events by DNS lookups.
- Duplicate events in the user_events table.
- Unable to perform remediation actions when the Process ID is zero.
- The sender column of the aul table is empty.
- user_events are not getting generated if the --audit_eoe_record_timeout flag is set to non-zero.
- Increase in memory usage for VMs and Kubernetes.
- The status column of the processes table displays integer values instead of text for macOS endpoints.
- The dns_resolvers table does not include IPv6 entries for macOS endpoints.
- The dns_lookup_events table does not include IPv6 DNS queries for macOS endpoints.