Windows Logon Sessions (osquery)

0

Description: This osquery command will list all Windows users that are currently logged on

SQL:

select * from logon_sessions;
# lists interactive users where the logon server is not blank
select user, logon_domain, session_id, logon_time, logon_server, logon_script
from logon_sessions
where logon_type like "interactive" and logon_server <> "";

Operating Systems: Windows only

Reference: