The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Windows logoff events

Windows logoff events parsed from event logs:

select datetime,
    eventid,

  json_extract(windows_eventlog.data,'$.EventData.TargetUserSid') as 'sid',
  json_extract(windows_eventlog.data,'$.EventData.TargetUserName') as 'username'
from windows_eventlog
where channel = 'Security'
  and eventid = '4647';
Tags (2)
0 Votes
2 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
jnelson
Carbon Black Employee

Updated to use the json_extract() function that I just learned about!