||The authentication protocol.
||Indicates whether the credentials were passed in clear text.
Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.
||The direction of the initiated traffic.
|0||Unknown||The session direction is unknown.|
|1||Inbound||The session is incoming. The Remote Host initiated the session to this device.|
|2||Outbound||The session is outgoing. This device initiated the session to the Remote Host.|
||The unique session identifier, as reported by the operating system.
||The indication of whether the user or user session is admin/root.
||The type of session logon.
|1||Interactive||A local logon to device console.|
|2||Remote Interactive||A logon using remote protocol.|
|3||Cached Interactive||A user logged on to this computer with network credentials that were stored locally on the computer and the domain controller was not contacted to verify the credentials.|
|4||Network||A user or device logged onto this device from the network.|
|5||Batch||A batch server logon, where processes may be executing on behalf of a user without their direct intervention.|
|6||Service||A logon by a service or daemon that was started by the OS.|
|7||New Credentials||A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
||The port that the remote session connects to; applicable for remote sessions only.
||An ordered list of the previous user names used within in the session, from latest to earliest.
||The indication of whether the session is remote.
||The host name of the device associated with the remote session.
||The IP address of the device associated with the remote session. The format is either IPv4 or IPv6.
||The user object that is associated with this session.