CREATE VIEW surveilr_osquery_ms_node_installed_software AS
SELECT
json_extract(l.content, '$.surveilrOsQueryMsNodeKey') AS node_key,
l.updated_at,
json_extract(l.content, '$.hostIdentifier') AS host_identifier,
json_extract(l.content, '$.columns.name') AS name,
json_extract(l.content, '$.columns.source') AS source,
json_extract(l.content, '$.columns.type') AS type,
json_extract(l.content, '$.columns.version') AS version,
CASE
WHEN json_extract(l.content, '$.name') = 'Installed Linux software' THEN 'linux'
WHEN json_extract(l.content, '$.name') = 'Installed Macos software' THEN 'macos'
WHEN json_extract(l.content, '$.name') = 'Installed Windows software' THEN 'windows'
ELSE 'unknown'
END AS platform
FROM uniform_resource AS l
WHERE l.uri = 'osquery-ms:query-result'
AND (
json_extract(l.content, '$.name') = 'Installed Linux software' OR
json_extract(l.content, '$.name') = 'Installed Macos software' OR
json_extract(l.content, '$.name') = 'Installed Windows software'
)