maybe logged_in_users has context? Anyway, the act...
# macos
maybe logged_in_users has context? Anyway, the actual thing that someone WANTS me to pull info for is… laptop lid opens and closes. Which I kindof don't want there to be a table for? but I may as well ask
I would be surprised if you could discern laptop open/closed events from the
table. Or any kind of login tables.
I’m not sure if it’s exposed anywhere by the OS, or anywhere osquery can read it.
Also lid open/close doesn’t imply logged in/logged out per se — I often have lid closed connected to external monitor
macOS 13 EndpointSecurity does introduce new login/logout events
I don't even have the unified log extension to be able to pull Clamshell log events that should be close enough
Next osquery probably has UAL built in.
And that extension is kinda dicy… It’s shelling out.