Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
allister
07/20/2022, 6:28 AMmaybe logged_in_users has context?
Anyway, the actual thing that someone WANTS me to pull info for is…
laptop lid opens and closes. Which I kindof don't want there to be a table for? but I may as well ask
s
seph
07/20/2022, 4:05 PMI would be surprised if you could discern laptop open/closed events from the
lastI’m not sure if it’s exposed anywhere by the OS, or anywhere osquery can read it.
s
sharvil
07/21/2022, 1:21 PMAlso lid open/close doesn’t imply logged in/logged out per se — I often have lid closed connected to external monitor
macOS 13 EndpointSecurity does introduce new login/logout events
a
allister
07/21/2022, 4:13 PMORLY
I don't even have the unified log extension to be able to pull Clamshell log events that should be close enough
s
seph
07/21/2022, 4:33 PMNext osquery probably has UAL built in.
And that extension is kinda dicy… It’s shelling out.