Built off the open source project Osquery
Description: Linux and macOS X login information
What the Data Shows: The last table in Osquery provides login and logout events for Linux and Mac OS X systems whilst providing the process id and the connecting host.
SQL: The following query joins the processes table to get the entry process name showing all sessions with a host identifier.
You can modify this query further to grab only external IP addresses.
AND host NOT IN (':1', '127.0.0.1')
Nice query @stympanick!
I would like to offer a suggestion that converts the type field to a human readable format. Would you consider modifying your query to:
Hello @stympanick, I ran this query against our MacOS devices but it did not return any matches. Result = not_matched. Any idea why this would be the case?