User sessions are the user activities undertaken on the computer in the course of conducting standard user actions.
Actions
Action |
Description |
lock |
The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state. |
login |
The event corresponding to the act of a user logging into a machine. |
logout |
The event corresponding to the act of a user logging out of a machine. |
reconnect |
The event corresponding to the act of a user reconnecting when an RDP session disconnects but the user is not logged off. |
unlock |
The event corresponding to the act of a user unlocking a machine currently in a locked state. |
Fields
Field |
Description |
Example |
dest_ip |
The destination IP address of the user session. Only applicable to remote or RDP sessions. |
192.168.1.5 |
dest_port |
The destination port of the user session. Only applicable to remote or RDP sessions. |
1900 |
hostname |
The hostname of the host, without the domain. |
HOST1 |
login_successful |
Boolean indicator of whether a login attempt was successful. |
False |
login_type |
The type of login that was accomplished or attempted. |
interactive ,local ,rdp ,remote |
login_id |
A hex value corresponding to the session. The login id will persist until logout occurs. |
0xf61f3 |
src_ip |
The source IP address of the user session. Only applicable to remote or RDP sessions. |
10.0.0.54 |
src_port |
The source port of the user session. Only applicable to remote or RDP sessions. |
50438 |
uid |
ID or SID of the user for which a session event occured. |
S-1-5-18 |
user |
The user affiliated with the session. May be a local, domain or SYSTEM user. |
HOST1\LOCALUSER |
Coverage Map
|
dest_ip |
dest_port |
hostname |
login_successful |
login_type |
logon_id |
src_ip |
src_port |
uid |
user |
lock |
|
|
|
|
|
|
|
|
|
|
login |
|
|
|
|
|
|
|
|
|
|
logout |
|
|
|
|
|
|
|
|
|
|
reconnect |
|
|
|
|
|
|
|
|
|
|
unlock |
|
|
|
|
|
|
|
|
|
|