The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Find where users have logged in

This query looks for the existence of a Windows user's folder which indicates that they have logged into a system at least once. Then it also pulls the last login time and type from the Windows Event Logs. 

There are two places with the username in the SQL below ('dale') that need to be changed to the user you are looking for. The instances are in bolded red.

with wel as (

  select datetime as 'last_login',
    json_extract(,'$.EventData.TargetUserName') as 'username',
     case json_extract(,'$.EventData.LogonType')
      when '2' then 'INTERACTIVE'
      when '3' then 'NETWORK'
      when '4' then 'BATCH'
      when '5' then 'SERVICE'
      when '7' then 'UNLOCK'
      when '8' then 'NETWORK_CLEAR_TEXT'
      when '9' then 'NEW_CREDENTIALS'
      when '10' then 'REMOTE_INTERACTIVE'
      when '11' then 'CACHED_INTERACTIVE'
    end 'logon_type_description'
  from windows_eventlog
  where channel = 'Security'
    and eventid = '4624'
    and json_extract(,'$.EventData.TargetUserName') = 'dale'
  order by datetime desc
  limit 1),
dir as (
  select path,
         filename as 'username',
         datetime(btime,'unixepoch','localtime') as 'dir_created'
  from file
  where path = '\users\dale'
select *
from dir
join wel using(username);


Carbon Black Employee
Status changed to: Approved
New Contributor II

Works well thank you