maybe logged_in_users has context?
Anyway, the act...
# macosa
allister
07/20/2022, 6:28 AMmaybe logged_in_users has context?
Anyway, the actual thing that someone WANTS me to pull info for is…
laptop lid opens and closes. Which I kindof don't want there to be a table for? but I may as well ask
s
seph
07/20/2022, 4:05 PM
I would be surprised if you could discern laptop open/closed events from the
lastseph
07/20/2022, 4:06 PM
I’m not sure if it’s exposed anywhere by the OS, or anywhere osquery can read it.
s
sharvil
07/21/2022, 1:21 PMAlso lid open/close doesn’t imply logged in/logged out per se — I often have lid closed connected to external monitor
sharvil
07/21/2022, 1:22 PMmacOS 13 EndpointSecurity does introduce new login/logout events
a
allister
07/21/2022, 4:13 PMORLY
allister
07/21/2022, 4:14 PMI don't even have the unified log extension to be able to pull Clamshell log events that should be close enough
s
seph
07/21/2022, 4:33 PM
Next osquery probably has UAL built in.
seph
07/21/2022, 4:33 PM
And that extension is kinda dicy… It’s shelling out.
3 Views