Built off the open source project Osquery
Description:looking for what users are logged into a host, the user the type of auth, time and process
What The Data Shows: good for troubleshooting what user may have made changes that caused an issue, auditing purposes, or even incident response.
SELECT type,user,host,time,pid,p.nameFROM (`logged_in_users`) JOIN processes AS p USING(pid);
@coreymaygard would you consider using a JOIN to get the process name and no just the PID? Here is an example:
nice. good suggestion, thanks!
I changed the query to reflect your suggestion
Here is a similar query in case you are interested: https://community.carbonblack.com/t5/Query-Exchange/Process-by-user/idi-p/97414
Very handy thank you, what about if I want to search a large amount of computers and I only want hits if a specific user is present.
Thanks in advance
@dale_a_brown you could use something like:
FROM (`logged_in_users`) JOIN processes AS p USING(pid)WHERE user = 'dale';
However, I have recently seen cases where the pid is "-1" which indicates that osquery did not understand the value. Since there is no such pid, the JOIN does not take place and you would get no results. Therefore, it is probably best to run it without the JOIN (sorry @coreymaygard ), but I would also convert the time to human-readable form:
SELECT type,user,host,datetime(time,'unixepoch','localtime') AS 'time',pid
WHERE user = 'dale';
SELECT type,user,host,datetime(time,'unixepoch','localtime') AS 'time',pidFROM (`logged_in_users`)WHERE user = 'dale';
The above will tell me if user 'dale' is currently logged in - is that correct?
What i'm searching for is if a user has ever logged on the machine i.e a user folder is present on the machine.
@dale_a_brown I create a new post to meet your use case:
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.