https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
a

allister

07/20/2022, 6:28 AM
maybe logged_in_users has context? Anyway, the actual thing that someone WANTS me to pull info for is… laptop lid opens and closes. Which I kindof don't want there to be a table for? but I may as well ask
s

seph

07/20/2022, 4:05 PM
I would be surprised if you could discern laptop open/closed events from the 
last
table. Or any kind of login tables.
I’m not sure if it’s exposed anywhere by the OS, or anywhere osquery can read it.
s

sharvil

07/21/2022, 1:21 PM
Also lid open/close doesn’t imply logged in/logged out per se — I often have lid closed connected to external monitor
macOS 13 EndpointSecurity does introduce new login/logout events
a

allister

07/21/2022, 4:13 PM
ORLY
I don't even have the unified log extension to be able to pull Clamshell log events that should be close enough
s

seph

07/21/2022, 4:33 PM
Next osquery probably has UAL built in.
And that extension is kinda dicy… It’s shelling out.
3 Views
Powered by