From dbf8697cdba9d5eb60ecd24fa33826244a49bbbf Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Fri, 31 Oct 2025 14:26:47 -0400
Subject: [PATCH] Update Santa tables (#35055)

- @noahtalerman: We decided to cut the `santa_rules` table and tweak
descriptions: https://github.com/fleetdm/fleet/pull/33825
  - Looks like these doc changes got added back to `main` by accident
---
 schema/osquery_fleet_schema.json | 43 +++-----------------------------
 schema/tables/santa_allowed.yml  |  5 +++-
 schema/tables/santa_denied.yml   |  5 +++-
 schema/tables/santa_rules.yml    | 27 --------------------
 4 files changed, 12 insertions(+), 68 deletions(-)
 delete mode 100644 schema/tables/santa_rules.yml

diff --git a/schema/osquery_fleet_schema.json b/schema/osquery_fleet_schema.json
index 40f5f6b4f1..98800ce407 100644
--- a/schema/osquery_fleet_schema.json
+++ b/schema/osquery_fleet_schema.json
@@ -24376,12 +24376,13 @@
   },
   {
     "name": "santa_allowed",
-    "description": "List of applications Santa has allowed to run on the host.",
+    "description": "Logs events for when Santa allowed applications to run on the host. Fleet's agent (fleetd) only stores the most recent 10,000 allowed events.",
     "platforms": [
       "darwin"
     ],
     "evented": false,
     "examples": "Show Google Chrome open events, as allowed by Santa.\n\n```\nSELECT * FROM santa_allowed WHERE application = '/Applications/Google Chrome.app';\n```",
+    "notes": "- Fleetd only stores the most recent 10,000 allowed events to avoid hitting [osquery watchdog limits](https://fleetdm.com/guides/osquery-watchdog).\n- If you're running this query as a scheduled query, use the `differential_ignore_removals` to avoid hitting osquery watchdog limits",
     "columns": [
       {
         "name": "timestamp",
@@ -24413,12 +24414,13 @@
   },
   {
     "name": "santa_denied",
-    "description": "List of applications Santa has denied from running on the host.",
+    "description": "Logs events for when Santa denied applications from running on the host. Fleet's agent (fleetd) only stores the most recent 10,000 denied events.",
     "platforms": [
       "darwin"
     ],
     "evented": false,
     "examples": "Collect all Santa denied logs from macOS hosts.\n```\nSELECT * FROM santa_denied;\n```",
+    "notes": "- Fleetd only stores the most recent 10,000 denied events to avoid hitting [osquery watchdog limits](https://fleetdm.com/guides/osquery-watchdog).\n- If you're running this query as a scheduled query, use the `differential_ignore_removals` to avoid hitting osquery watchdog limits",
     "columns": [
       {
         "name": "timestamp",
@@ -24448,43 +24450,6 @@
     "url": "https://fleetdm.com/tables/santa_denied",
     "fleetRepoUrl": "https://github.com/fleetdm/fleet/blob/main/schema/tables/santa_denied.yml"
   },
-  {
-    "name": "santa_rules",
-    "description": "The [Santa](https://github.com/google/santa) rules that are currently installed on a macOS host.",
-    "platforms": [
-      "darwin"
-    ],
-    "evented": false,
-    "examples": "Verify that running WhatsApp will be denied (blocked) by Santa via WhatsApp's Team ID.\n```\nSELECT state FROM santa_rules WHERE identifier = '57T9237FN3';\n```",
-    "columns": [
-      {
-        "name": "identifier",
-        "description": "Rule identifier (SHA256, Team ID, etc.",
-        "required": false,
-        "type": "text"
-      },
-      {
-        "name": "type",
-        "description": "Type of rule (Binary, Certificate, TeamID)",
-        "required": false,
-        "type": "text"
-      },
-      {
-        "name": "state",
-        "description": "Rule state (Allowlist, Denylist)",
-        "required": false,
-        "type": "text"
-      },
-      {
-        "name": "custom_message",
-        "description": "Custom message associated with the rule",
-        "required": false,
-        "type": "text"
-      }
-    ],
-    "url": "https://fleetdm.com/tables/santa_rules",
-    "fleetRepoUrl": "https://github.com/fleetdm/fleet/blob/main/schema/tables/santa_rules.yml"
-  },
   {
     "name": "santa_status",
     "description": "The output of `santactl status --json` showing current Santa statistics and configuration.",
diff --git a/schema/tables/santa_allowed.yml b/schema/tables/santa_allowed.yml
index 5ce7874687..9679025aac 100644
--- a/schema/tables/santa_allowed.yml
+++ b/schema/tables/santa_allowed.yml
@@ -1,5 +1,5 @@
 name: santa_allowed
-description: List of applications Santa has allowed to run on the host.
+description: "Logs events for when Santa allowed applications to run on the host. Fleet's agent (fleetd) only stores the most recent 10,000 allowed events."
 platforms: 
   - darwin
 evented: false
@@ -9,6 +9,9 @@ examples: |-
   ```
   SELECT * FROM santa_allowed WHERE application = '/Applications/Google Chrome.app';
   ```
+notes: |-
+  - Fleetd only stores the most recent 10,000 allowed events to avoid hitting [osquery watchdog limits](https://fleetdm.com/guides/osquery-watchdog).
+  - If you're running this query as a scheduled query, use the `differential_ignore_removals` to avoid hitting osquery watchdog limits
 columns:
   - name: timestamp
     description: Timestamp of the decision
diff --git a/schema/tables/santa_denied.yml b/schema/tables/santa_denied.yml
index aed612b2a7..46794ec631 100644
--- a/schema/tables/santa_denied.yml
+++ b/schema/tables/santa_denied.yml
@@ -1,5 +1,5 @@
 name: santa_denied
-description: List of applications Santa has denied from running on the host.
+description: Logs events for when Santa denied applications from running on the host. Fleet's agent (fleetd) only stores the most recent 10,000 denied events.
 platforms: 
   - darwin
 evented: false
@@ -8,6 +8,9 @@ examples: |-
   ```
   SELECT * FROM santa_denied;
   ```
+notes: |-
+  - Fleetd only stores the most recent 10,000 denied events to avoid hitting [osquery watchdog limits](https://fleetdm.com/guides/osquery-watchdog).
+  - If you're running this query as a scheduled query, use the `differential_ignore_removals` to avoid hitting osquery watchdog limits
 columns:
   - name: timestamp
     description: Timestamp of the decision
diff --git a/schema/tables/santa_rules.yml b/schema/tables/santa_rules.yml
deleted file mode 100644
index e429c9ad64..0000000000
--- a/schema/tables/santa_rules.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: santa_rules
-description: The [Santa](https://github.com/google/santa) rules that are currently installed on a macOS host.
-platforms: 
-  - darwin
-evented: false
-examples: |-
-  Verify that running WhatsApp will be denied (blocked) by Santa via WhatsApp's Team ID.
-  ```
-  SELECT state FROM santa_rules WHERE identifier = '57T9237FN3';
-  ```
-columns:
-  - name: identifier
-    description: Rule identifier (SHA256, Team ID, etc.
-    required: false
-    type: text
-  - name: type
-    description: Type of rule (Binary, Certificate, TeamID)
-    required: false
-    type: text
-  - name: state
-    description: Rule state (Allowlist, Denylist)
-    required: false
-    type: text
-  - name: custom_message
-    description: Custom message associated with the rule
-    required: false
-    type: text