Logged Users
Overview
Section titled “Overview”Evidence: Logged Users
Description: Collect Logged Users
Category: System
Platform: macos
Short Name: lusrs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers logged users information from the macOS system. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.
Data Collected
Section titled “Data Collected”This collector gathers structured data about logged users.
Logged Users Data
Section titled “Logged Users Data”| Field | Description | Example |
|---|---|---|
Type | Type | Example value |
Username | Username | Example value |
Tty | Tty | Example value |
Host | Host | Example value |
Time | Time | 2023-10-15 14:30:25+03:00 |
ProcessId | Process Id | 123 |
Collection Method
Section titled “Collection Method”This collector queries the logged_in_users table via osquery and records results into the logged_users table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals active and recent user sessions, helping identify unauthorized access, lateral movement, and account misuse.