|The authentication protocol.
|Indicates whether the credentials were passed in clear text.
Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.
|The direction of the initiated traffic.
|The session direction is unknown.
|The session is incoming. The Remote Host initiated the session to this device.
|The session is outgoing. This device initiated the session to the Remote Host.
|The unique session identifier, as reported by the operating system.
|The indication of whether the user or user session is admin/root.
|The type of session logon.
|A local logon to device console.
|A logon using remote protocol.
|A user logged on to this computer with network credentials that were stored locally on the computer and the domain controller was not contacted to verify the credentials.
|A user or device logged onto this device from the network.
|A batch server logon, where processes may be executing on behalf of a user without their direct intervention.
|A logon by a service or daemon that was started by the OS.
|A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
|The port that the remote session connects to; applicable for remote sessions only.
|An ordered list of the previous user names used within in the session, from latest to earliest.
|The indication of whether the session is remote.
|The host name of the device associated with the remote session.
|The IP address of the device associated with the remote session. The format is either IPv4 or IPv6.
|The user object that is associated with this session.