Description: This osquery command will list all Windows users that are currently logged on
SQL:
select * from logon_sessions;# lists interactive users where the logon server is not blank
select user, logon_domain, session_id, logon_time, logon_server, logon_script
from logon_sessions
where logon_type like "interactive" and logon_server <> "";Operating Systems: Windows only
Reference: