User Session

User sessions are the user activities undertaken on the computer in the course of conducting standard user actions.

Actions

Action	Description
interactive	The event corresponding to the act of a user conducting a local login. The logon session used requires a GUI.
local	The event corresponding to the act of a user logging on locally to the machine.
lock	The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state.
login	The event corresponding to the act of a user logging into a machine.
logout	The event corresponding to the act of a user logging out of a machine.
rdp	The event corresponding to the act of a user accessing a machine remotely.
reconnect	The event corresponding to the act of a user reconnecting when an RDP session disconnects but the user is not logged off.
remote	The event corresponding to the act of a user conducting a network logon.
unlock	The event corresponding to the act of a user unlocking a machine currently in a locked state.

Field	Description	Example
dest_ip	The destination IP address of the user session. Only applicable to remote or RDP sessions.	`192.168.1.5`
dest_port	The destination port of the user session. Only applicable to remote or RDP sessions.	`1900`
hostname	The hostname of the host, without the domain.	`HOST1`
logon_id	A hex value corresponding to the session. The logon id will persist until logout occurs.	`0xf61f3`
src_ip	The source IP address of the user session. Only applicable to remote or RDP sessions.	`10.0.0.54`
src_port	The source port of the user session. Only applicable to remote or RDP sessions.	`50438`
user	The user affiliated with the session. May be a local, domain or SYSTEM user.	`HOST1\LOCALUSER`