maybe logged_in_users has context?
Anyway, the actual thing that someone WANTS me to pull info for is…laptop lid opens and closes. Which I kindof don't want there to be a table for? but I may as well ask
07/20/2022, 4:05 PM
I would be surprised if you could discern laptop open/closed events from the
table. Or any kind of login tables.
I’m not sure if it’s exposed anywhere by the OS, or anywhere osquery can read it.
07/21/2022, 1:21 PM
Also lid open/close doesn’t imply logged in/logged out per se — I often have lid closed connected to external monitor
macOS 13 EndpointSecurity does introduce new login/logout events
07/21/2022, 4:13 PM
I don't even have the unified log extension to be able to pull Clamshell log events that should be close enough
07/21/2022, 4:33 PM
Next osquery probably has UAL built in.
And that extension is kinda dicy… It’s shelling out.