Skip to content

Enum: LogonTypeIdEnum

The normalized logon type identifier.

URI: ocsf:LogonTypeIdEnum

Permissible Values

Value Meaning Description
UNKNOWN None The logon type is unknown
SYSTEM None Used only by the System account, for example at system startup
INTERACTIVE None A local logon to device console
NETWORK None A user or device logged onto this device from the network
BATCH None A batch server logon, where processes may be executing on behalf of a user
OS_SERVICE None A logon by a service or daemon that was started by the OS
UNLOCK None A user unlocked the device
NETWORK_CLEARTEXT None A user logged on to this device from the network
NEW_CREDENTIALS None A caller cloned its current token and specified new credentials for outbound
REMOTE_INTERACTIVE None A remote logon using Terminal Services or remote desktop application
CACHED_INTERACTIVE None A user logged on to this device with network credentials that were stored
CACHED_REMOTE_INTERACTIVE None Same as Remote Interactive
CACHED_UNLOCK None Workstation logon
OTHER None The logon type is not mapped

Slots

Name Description
logon_type_id The normalized logon type identifier

Identifier and Mapping Information

Schema Source

LinkML Source

name: LogonTypeIdEnum
description: The normalized logon type identifier.
from_schema: https://w3id.org/lmodel/ocsf
rank: 1000
permissible_values:
  UNKNOWN:
    text: UNKNOWN
    description: The logon type is unknown.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '0'
      caption:
        tag: caption
        value: Unknown
  SYSTEM:
    text: SYSTEM
    description: Used only by the System account, for example at system startup.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '1'
      caption:
        tag: caption
        value: System
  INTERACTIVE:
    text: INTERACTIVE
    description: A local logon to device console.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '2'
      caption:
        tag: caption
        value: Interactive
  NETWORK:
    text: NETWORK
    description: A user or device logged onto this device from the network.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '3'
      caption:
        tag: caption
        value: Network
  BATCH:
    text: BATCH
    description: 'A batch server logon, where processes may be executing on behalf
      of a user

      without their direct intervention.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '4'
      caption:
        tag: caption
        value: Batch
  OS_SERVICE:
    text: OS_SERVICE
    description: A logon by a service or daemon that was started by the OS.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '5'
      caption:
        tag: caption
        value: OS Service
  UNLOCK:
    text: UNLOCK
    description: A user unlocked the device.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '7'
      caption:
        tag: caption
        value: Unlock
  NETWORK_CLEARTEXT:
    text: NETWORK_CLEARTEXT
    description: 'A user logged on to this device from the network. The user''s password
      in the

      authentication package was not hashed.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '8'
      caption:
        tag: caption
        value: Network Cleartext
  NEW_CREDENTIALS:
    text: NEW_CREDENTIALS
    description: 'A caller cloned its current token and specified new credentials
      for outbound

      connections. The new logon session has the same local identity, but uses

      different credentials for other network connections.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '9'
      caption:
        tag: caption
        value: New Credentials
  REMOTE_INTERACTIVE:
    text: REMOTE_INTERACTIVE
    description: A remote logon using Terminal Services or remote desktop application.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '10'
      caption:
        tag: caption
        value: Remote Interactive
  CACHED_INTERACTIVE:
    text: CACHED_INTERACTIVE
    description: 'A user logged on to this device with network credentials that were
      stored

      locally on the device and the domain controller was not contacted to verify
      the

      credentials.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '11'
      caption:
        tag: caption
        value: Cached Interactive
  CACHED_REMOTE_INTERACTIVE:
    text: CACHED_REMOTE_INTERACTIVE
    description: Same as Remote Interactive. This is used for internal auditing.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '12'
      caption:
        tag: caption
        value: Cached Remote Interactive
  CACHED_UNLOCK:
    text: CACHED_UNLOCK
    description: Workstation logon.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '13'
      caption:
        tag: caption
        value: Cached Unlock
  OTHER:
    text: OTHER
    description: 'The logon type is not mapped. See the <code>logon_type</code> attribute,
      which

      contains a data source specific value.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '99'
      caption:
        tag: caption
        value: Other