Retrieves the list of all the currently logged in users in the target system.: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
Query:
select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;Additional Query Info:
Version: 1.4.5
Platform: posix
Interval: 3600
JSON:
{ "queries": { "logged_in_users": { "query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;", "interval" : "3600", "platform" : "posix", "version": "1.4.5", "description" : "Retrieves the list of all the currently logged in users in the target system.", "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise." } } }