Live Query can pull the list of logged-in users from one or more endpoints daily or on-demand from the logged_in_users table.
The following query performs a daily osquery.
SELECT * FROM logged_in_users
Endpoints that Users Log Into
eventtype="vmware_cbc_base_index" sourcetype="vmware:cbc:livequery:result" query_name="List Logged In Users" status=matched | rename device.* as device_*, fields.* as * | eval _time = time | reltime | stats values(device_name) as device_names, values(device_id) as device_ids by user
