Is there a way to get the kolide_decorations into the standard decorations field for log export? Or SEIM only sees the decorators but not the kolide_decorations. I can see if the SIEM (panther) can update their parser but since its built for standard OS_Query they may not want to change it

Hi @Travis, so the reason we split them up is we felt wrong polluting the standard area osquery decorators would live, but in practice do you think (beyond your use-case) that is actually not a big deal? Or is there a way for us to structure it within the decorators key with prepending things with a special string to keep that obvious separation? Would love your thoughts, I just don't want to break other folks' assumptions about the log output.

I think its more of enriching the standard decorators rather than polluting 🙂

Ok! I think that perspective actually helps us make a decision. I'm going to chat with the team, but if we can make this happen we will, otherwise we will let you know.

A sort of namespace for the kolide decorators would be a nice addition so they don't conflict with the default ones