From b5b43e7aa7238c0d8a82457adefb8355d29dc8e8 Mon Sep 17 00:00:00 2001
From: William Theaker <williamtheaker@users.noreply.github.com>
Date: Tue, 30 Jun 2020 09:18:50 -0700
Subject: [PATCH] Brief Auto Table Construction docs (#2249)

---
 docs/cli/file-format.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/docs/cli/file-format.md b/docs/cli/file-format.md
index db84d3b237..cdb55d9b7d 100644
--- a/docs/cli/file-format.md
+++ b/docs/cli/file-format.md
@@ -231,6 +231,32 @@ spec:
           interval:
             3600: "SELECT total_seconds AS uptime FROM uptime"
 ```
+
+### Auto Table Construction
+
+You can use Kolide Fleet to query local SQLite databases as tables. For more information on creating ATC configuration from a SQLite database, see the [Osquery Automatic Table Construction documentation](https://osquery.readthedocs.io/en/stable/deployment/configuration/#automatic-table-construction)
+
+If you already know what your ATC configuration needs to look like, you can add it to an options config file:
+
+```yaml
+apiVersion: v1
+kind: options
+spec:
+  overrides:
+    platforms:
+      darwin:
+        auto_table_construction:
+          tcc_system_entries:
+            query: "select service, client, allowed, prompt_count, last_modified from access"
+            path: "/Library/Application Support/com.apple.TCC/TCC.db"
+            columns:
+              - "service"
+              - "client"
+              - "allowed"
+              - "prompt_count"
+              - "last_modified"
+```
+
 ## Fleet Configuration Options
 The following file describes configuration options applied to the Fleet server.