Session Type [7.2]
The type of session described in the log (for example, console, CLI, or web). This field is free text.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String (128 characters)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Session Type |
Client Console Short Name | Session Type |
Web Console Tab/Name | Session Type |
Elasticsearch Field Name | sessionType |
Rule Builder Column Name | SessionType |
Regex Pattern | <sessiontype> |
NetMon Name | Not applicable |
Field Relationships
- Session
- Login
- Account
- Domain
- Process
- ProcessID
- Protname
- Protnum
Common Applications
- Windows security log lists all types of sessions (logon type)
- Linux authentication methods
Use Case
Tracking how users are interacting with a system.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- SessionType can exist without Session.
- Session can exist without a defined Session Type.
Examples
- Linux Host
10 15 2010 10:50:31 1.1.1.1 <SAU1:INFO> Oct 15 10:50:30 USABLDRRECFLOW01: [ID 702911 Host7] 700 Auth_method_success, Username: pete.store, Auth method: keyboard-interactive, Session-Id: 10707
Keyboard-Interactive parses into Session Type.
- Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{2222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>0</Version><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>USBO1PDC02$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>
LogonType parses into Session Type. Establishes the LogonID as a Service. Service session can be tracked with Session 0x3e7.