| Auth Protocol |
auth_protocol_id |
Optional |
Integer |
The authentication protocol.
| 0 | Unknown | | |
| 1 | NTLM | | |
| 2 | Kerberos | | |
| 3 | Digest | | |
| 4 | OpenID | | |
| 5 | SAML | | |
| 6 | OAUTH 2.0 | | |
| 7 | PAP | | |
| 8 | CHAP | | |
| 9 | EAP | | |
| 10 | RADIUS | | |
|
| Cleartext CredentialsЕxt |
cleartext_credentials |
Optional |
Boolean |
Indicates whether the credentials were passed in clear text. Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text. |
| DirectionЕxt |
direction_id |
Optional |
Integer |
Direction of the traffic that was detected by an IPS detection.
| 0 | Unknown | The session direction is unknown. | |
| 1 | Inbound | The session is incoming. The Remote Host initiated the session to this device. | |
| 2 | Outbound | The session is outgoing. This device initiated the session to the Remote Host. | |
|
| ID |
id |
Recommended |
Integer |
The unique session identifier, as reported by the operating system. |
| Admin Session |
is_admin |
Recommended |
Boolean |
The indication of whether the user or user session is admin/root. |
| Logon Type |
logon_type_id |
Recommended |
Integer |
The type of session logon.
| 1 | Interactive | A local logon to device console. | |
| 2 | Remote Interactive | A logon using remote protocol. | |
| 3 | Cached Interactive | A user logged on to this computer with network credentials that were stored locally on the computer and the domain controller was not contacted to verify the credentials. | |
| 4 | Network | A user or device logged onto this device from the network. | |
| 5 | Batch | A batch server logon, where processes may be executing on behalf of a user without their direct intervention. | |
| 6 | Service | A logon by a service or daemon that was started by the OS. | |
| 7 | New Credentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | |
|
| PortЕxt |
port |
Recommended |
Integer |
The port that the remote session connects to; applicable for remote sessions only. |
| Previous UsersЕxt |
previous_users |
Recommended |
String Array |
An ordered list of the previous user names used within in the session, from latest to earliest. |
| Remote |
remote |
Recommended |
Boolean |
The indication of whether the session is remote. |
| Remote HostЕxt |
remote_host |
Recommended |
String |
The host name of the device associated with the remote session. |
| Remote IPЕxt |
remote_ip |
Recommended |
IP Address |
The IP address of the device associated with the remote session. The format is either IPv4 or IPv6. |
| User |
user |
Recommended |
User |
The user object that is associated with this session. |