Windows logoff events parsed from event logs:
select datetime,
eventid,
json_extract(windows_eventlog.data,'$.EventData.TargetUserSid') as 'sid',
json_extract(windows_eventlog.data,'$.EventData.TargetUserName') as 'username'
from windows_eventlog
where channel = 'Security'
and eventid = '4647';
