diff --git a/docs/Using Fleet/Audit-logs.md b/docs/Using Fleet/Audit-logs.md
index 2367b31d9f..700f2e869a 100644
--- a/docs/Using Fleet/Audit-logs.md
+++ b/docs/Using Fleet/Audit-logs.md
@@ -1049,6 +1049,65 @@ This activity contains the following fields:
}
```
+## created_declaration_profile
+
+Generated when a user adds a new macOS declaration to a team (or no team).
+
+This activity contains the following fields:
+- "profile_name": Name of the declaration.
+- "identifier": Identifier of the declaration.
+- "team_id": The ID of the team that the declaration applies to, `null` if it applies to devices that are not in a team.
+- "team_name": The name of the team that the declaration applies to, `null` if it applies to devices that are not in a team.
+
+#### Example
+
+```json
+{
+ "profile_name": "Passcode requirements",
+ "profile_identifier": "com.my.declaration",
+ "team_id": 123,
+ "team_name": "Workstations"
+}
+```
+
+## deleted_declaration_profile
+
+Generated when a user removes a macOS declaration from a team (or no team).
+
+This activity contains the following fields:
+- "profile_name": Name of the declaration.
+- "identifier": Identifier of the declaration.
+- "team_id": The ID of the team that the declaration applies to, `null` if it applies to devices that are not in a team.
+- "team_name": The name of the team that the declaration applies to, `null` if it applies to devices that are not in a team.
+
+#### Example
+
+```json
+{
+ "profile_name": "Passcode requirements",
+ "profile_identifier": "com.my.declaration",
+ "team_id": 123,
+ "team_name": "Workstations"
+}
+```
+
+## edited_declaration_profile
+
+Generated when a user edits the macOS declarations of a team (or no team) via the fleetctl CLI.
+
+This activity contains the following fields:
+- "team_id": The ID of the team that the declarations apply to, `null` if they apply to devices that are not in a team.
+- "team_name": The name of the team that the declarations apply to, `null` if they apply to devices that are not in a team.
+
+#### Example
+
+```json
+{
+ "team_id": 123,
+ "team_name": "Workstations"
+}
+```
+
diff --git a/docs/Using Fleet/Understanding-host-vitals.md b/docs/Using Fleet/Understanding-host-vitals.md
index 47dca9f92c..2fe0abb033 100644
--- a/docs/Using Fleet/Understanding-host-vitals.md
+++ b/docs/Using Fleet/Understanding-host-vitals.md
@@ -199,7 +199,7 @@ WITH registry_keys AS (
-- coalesce to 'unknown' and keep that state in the list
-- in order to account for hosts that might not have this
-- key, and servers
- WHERE COALESCE(e.state, '0') IN ('0', '1', '2')
+ WHERE COALESCE(e.state, '0') IN ('0', '1', '2', '3')
LIMIT 1;
```
@@ -373,12 +373,20 @@ SELECT * FROM os_version LIMIT 1
- Query:
```sql
-SELECT os.name, r.data as display_version, k.version
+WITH display_version_table AS (
+ SELECT data as display_version
+ FROM registry
+ WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
+ )
+ SELECT
+ os.name,
+ COALESCE(d.display_version, '') AS display_version,
+ k.version
FROM
- registry r,
os_version os,
kernel_info k
- WHERE r.path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
+ LEFT JOIN
+ display_version_table d
```
## os_windows
@@ -387,19 +395,23 @@ SELECT os.name, r.data as display_version, k.version
- Query:
```sql
-SELECT
+WITH display_version_table AS (
+ SELECT data as display_version
+ FROM registry
+ WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
+ )
+ SELECT
os.name,
os.platform,
os.arch,
k.version as kernel_version,
os.version,
- r.data as display_version
+ COALESCE(d.display_version, '') AS display_version
FROM
os_version os,
- kernel_info k,
- registry r
- WHERE
- r.path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
+ kernel_info k
+ LEFT JOIN
+ display_version_table d
```
## osquery_flags