Skip to content

[Osquery_manager] Logged users artifact saved query #17008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tomsonpl wants to merge 1 commit into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] Logged users artifact saved query #17008

tomsonpl wants to merge 1 commit into from

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Jan 20, 2026

Logged In Users Artifact

The Logged In Users artifact provides comprehensive visibility into currently active user sessions across Windows, Linux, and macOS systems. This cross-platform query enables security teams to detect lateral movement, identify unauthorized access patterns, and perform user activity forensics by enumerating all authenticated sessions with detailed context including login timestamps, session types, and remote connection information.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 Logged In Users All logged_in_users_elastic ccd3f850 Cross-platform logged-in users enumeration with session details

Queries by Platform

🪟🍎🐧 Cross-Platform - Active Session Enumeration

Description

Enumerates all currently logged-in users across Windows, Linux, and macOS systems with comprehensive session details. The query retrieves login timestamps, usernames, logon types (console, remote, service), terminal/TTY information, remote host addresses for network sessions, and process IDs. On Windows, it additionally captures the user's Security Identifier (SID) and registry hive path for correlation with other forensic artifacts.

Detection Focus:

  • Lateral Movement Detection: Identify remote logon sessions (RDP on Windows, SSH on Linux/macOS) that may indicate unauthorized access or attacker movement
  • User Activity Forensics: Track user presence and session duration for incident timeline reconstruction
  • Concurrent Session Analysis: Detect multiple simultaneous sessions from the same user account across different hosts
  • Service Account Monitoring: Identify non-interactive service account logons that may indicate misuse
  • Anomalous Access Patterns: Correlate login times with expected business hours and user behavior baselines

Result

Screenshot 2026-01-20 at 15 33 28

Query results will show all active user sessions with the following information:

  • Login timestamp (human-readable format)
  • Username associated with the session
  • Logon type (console, remote, pts, tty, etc.)
  • Terminal/TTY device identifier
  • Remote host address (for network sessions)
  • Process ID of the session
  • User SID (Windows only)
  • Registry hive path (Windows only)

Platform

linux,darwin,windows

Interval

3600 seconds (1 hour)

Query ID

logged_in_users_elastic

ECS Field Mappings

  • event.category["session"] (static value)
  • event.actionosquery.logged_in_users (static value)
  • user.nameusername
  • user.iduser_sid
  • process.pidpid
  • source.addressremote_host
  • tags["osquery", "user_activity", "session"] (static value)

SQL Query

-- Logged In Users Enumeration (Cross-Platform)
-- Lists all currently logged-in users with session details
-- Use case: User activity forensics, lateral movement detection, active session enumeration
-- Windows logon types: console (interactive), remote (RDP), service, etc.
-- Linux/macOS: pts (pseudo-terminal), tty (console), etc.
SELECT
  datetime(time, 'unixepoch') AS login_time,
  user AS username,
  type AS logon_type,
  tty,
  host AS remote_host,
  pid,
  sid AS user_sid,
  registry_hive
FROM logged_in_users
ORDER BY time DESC

Platform-Specific Notes

Windows

  • Captures Security Identifier (SID) for user correlation with other Windows artifacts
  • Registry hive path indicates user profile location
  • Logon types distinguish between console (interactive), remote (RDP), and service logons

Linux/macOS

  • TTY field indicates terminal type (pts for pseudo-terminals, tty for console)
  • Remote host field populated for SSH and other remote connections
  • Compatible with all major distributions (Ubuntu, RHEL, Debian, etc.)

@tomsonpl
Add logged_in_users_elastic cross-platform osquery saved query
3f6f00b 
  - Enumerates active user sessions with login time, logon type, remote host, and session details.
   - Supports lateral movement detection and user activity forensics across Windows, Linux, and macOS.
@tomsonpl tomsonpl requested a review from a team as a code owner January 20, 2026 14:33
@elasticmachine
Copy link

elasticmachine commented Jan 20, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

History

@tomsonpl tomsonpl changed the base branch from main to temporary-osquery-artifacts-branch January 20, 2026 15:07
@tomsonpl tomsonpl removed the request for review from a team January 20, 2026 15:07
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows] labels Jan 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferullo ferullo Awaiting requested review from ferullo

@calladoum-elastic calladoum-elastic Awaiting requested review from calladoum-elastic

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomsonpl @elasticmachine @andrewkroh