User Session Object

The user session object describes the session in which the event occurred.
Name Attribute Requirement Type Description
Auth Protocol auth_protocol_id Optional Integer The authentication protocol.
0Unknown
1NTLM
2Kerberos
3Digest
4OpenID
5SAML
6OAUTH 2.0
7PAP
8CHAP
9EAP
10RADIUS
Cleartext CredentialsЕxt cleartext_credentials Optional Boolean Indicates whether the credentials were passed in clear text.

Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.

DirectionЕxt direction_id Optional Integer The direction of the initiated traffic.
0UnknownThe session direction is unknown.
1InboundThe session is incoming. The Remote Host initiated the session to this device.
2OutboundThe session is outgoing. This device initiated the session to the Remote Host.
ID id Recommended Integer The unique session identifier, as reported by the operating system.
Admin Session is_admin Recommended Boolean The indication of whether the user or user session is admin/root.
Logon Type logon_type_id Recommended Integer The type of session logon.
1InteractiveA local logon to device console.
2Remote InteractiveA logon using remote protocol.
3Cached InteractiveA user logged on to this computer with network credentials that were stored locally on the computer and the domain controller was not contacted to verify the credentials.
4NetworkA user or device logged onto this device from the network.
5BatchA batch server logon, where processes may be executing on behalf of a user without their direct intervention.
6ServiceA logon by a service or daemon that was started by the OS.
7New CredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
PortЕxt port Recommended Integer The port that the remote session connects to; applicable for remote sessions only.
Previous UsersЕxt previous_users Recommended String Array An ordered list of the previous user names used within in the session, from latest to earliest.
Remote remote Recommended Boolean The indication of whether the session is remote.
Remote HostЕxt remote_host Recommended String The host name of the device associated with the remote session.
Remote IPЕxt remote_ip Recommended IP Address The IP address of the device associated with the remote session. The format is either IPv4 or IPv6.
User user Recommended User The user object that is associated with this session.