This detects a potential vulnerability in application compatibility mode being set
https://www.itnews.com.au/news/windows-compatibility-mode-resurfaces-old-flaws-473058
Schema
| analysis | string | JSON object representing the analysis |
| data | string | Data content of registry value |
| key | string | Name of the key |
| mtime | long | time of the most recent registry write |
| name | string | Name of the registry value entry |
| path | string | Full path to the value |
| type | string | Type of the registry value |
-- vulnerability_app_compatibility INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, analysis, data, key, mtime, name, path, type, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'vulnerability_app_compatibility'
RESULTS
None yet in my env. someone can test perhaps 
