Built off the open source project Osquery
Windows logoff events parsed from event logs:
select datetime, eventid,
json_extract(windows_eventlog.data,'$.EventData.TargetUserSid') as 'sid',
json_extract(windows_eventlog.data,'$.EventData.TargetUserName') as 'username'
from windows_eventlog
where channel = 'Security'
and eventid = '4647';
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.